Re: making the X.509 infrastructure available for OpenPGP
On Wed, 5 Feb 2014 04:15, mailinglis...@hauke-laging.de said: Wow. Does that mean that PGP can verify OpenPGP keys with X.509 certificates (in combination with a related OpenPGP certificate)? Or is this just a theoretical feature? IIRC, the PGP desktop client also integrated an IPsec client and thus they needed key management for IKE. Merging this into the PGP key manager was easier for them. Are there reasons (beside the obvious effort and work budget) for not having implemented this in GnuPG? Checkout GPA, Claws, Kleopatra, GpgOL, or GpgEX - they integrate it. In general it does not make sense to use the same key - there is no advantage. For smartcards this is a different story, though. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: making the X.509 infrastructure available for OpenPGP
On Wed, 5 Feb 2014 19:04, pe...@digitalbrains.com said: An X.509 certification obviously certifies that a certain X.509 certificate belongs to the person or role identified by the Distinguished Name. But seen a Almost all X.509 certification in public use certify only one of two things: - Someone has pushed a few bucks over to the CA. - Someone has convinced the CA to directly or indirectly issue a certificate. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
[Abimbola, Gbenga] RE: Shouldn't keyservers store and provide subkeys?
Mail From: Abimbola, Gbenga / Message starts here / Hi: I sent the message below, and did not see the request in March 2005 Archive. Is this the right mailing list? Can you help with respect to the message below? Meanwhile, during the configuration (./configure) and the make make install, I received a lot of warning messages (like ...incompatible data types, etc), but in the end I got the binary. Has anyone compiled gnupg without any errors? Thanks. Gbenga -Original Message- From: Abimbola, Gbenga Sent: Wednesday, March 23, 2005 4:41 PM To: 'gnupg-users@gnupg.org' Subject:FW: Help on information with Gnupg Hi: I recently tried to install GnuPG and after compilation (I got lot of warning errors though), I did type: $ gpg -v and got the following message: gpg: conversion from `utf-8' to `roman8' not available Can anyone point me to any quick solution? This is my first time. Thanks. Gbenga Abimbola Columbus, OH / Message ends here / ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg script to remove passphrase from secret key
On Mon, 28 Mar 2005 18:43:12 -0800, Kai-Min Sung said: and here's the input file: ---input start--- passwd old_pass Y save Y ---input end--- If you use such a canned input file, make sure that it is only used with gpg versions you tested. The correct way is to parse the status-fd messages and provide the answers as required. Salam-Shalom, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Winpt error -- Sorry, you need a newer gpg version
On Sun, 27 Mar 2005 12:03:06 -0600, David Gibbs said: I get this error anytime I try to start up WinPT on my XP SP2 system. Sorry, you need a newer GPG version. GPG version 1.0.4 requred GPG version 1.2.4 You probably have an old version of GnuPG somewhere. I suggest to install the latest winpt as well as the latest gnupg (1.4.1) and make sure that WinPT's preferences are correct. Under preferences-gpg you need to enter the full path to gpg.exe. With gpg 1.4.1 this is something like c:\Program Files\GNU\GnuPGH\gpg.exe Shalom-Salam, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: (Import-)Problem in gnupg 1.4.1
On Tue, 22 Mar 2005 19:04:17 +0100, Thomas Marx said: every key is listed twice. The difference is the usage of the slash and the back slash. I just checked it and the reason for the duplicate listing is that we use a caseinsensitive compare but care about slash and backslash. In this regard the files are different and both get listed. I hesitate to change the comparison due to possible side effects. You have specified the keyrings at two different places or simply added the default keyring a second time in the gpg.conf. Please make sure to consistently use slashes or backslashes. Compare gpg.conf against the Registry setting HKCU\Software\GNU\GnuPG:HomeDir - I guess that the Registry entry used forward slashes for historic reasons. Salam-Shalom, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Clarification on purpose of subordinate keys
On Wed, 30 Mar 2005 13:53:47 +0200, Dirk Traulsen said: This sounds interesting. Please help me to clarify it a bit. After some tests and reading in my understanding it works like this: [1...7] Correct. When system2 would be cracked, an attacker would not have access to the secret part of my main key (really?). Correct. The secret key is not on system2. This is indicated by a hash mark like: sec# 1024D/5B0358A2 1999-03-15 [expires: 2009-07-11] uid Werner Koch [EMAIL PROTECTED] uid Werner Koch [EMAIL PROTECTED] ssb 1024D/010A57ED 2004-03-21 ssb 2048R/B604F148 2004-03-21 (A similar thing is with smartcards, there a '' indicates that the secret key is actually stored on a smartcard). But for me it would still be possible to go to system1 and a. change my passphrase b. revoke the compromised subkeys c. add new subkeys and start the cycle again without loosing all the signatures on my uid in the primary key, what would have been the case, if I had to revoke the complete key. Correct. The only negative point is, that I have to go to system1 to maintain my key. Is this correct? Yes. Salam-Shalom, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: --export problem
On Thu, 7 Apr 2005 11:56:39 +0530 , Thutika, Srinivas (ODC said: But when I try to import from from --import I am getting keys only I am not getting the secrect keys --export dies not export secret keys because, well, they are secret. If you really need to move the secret keys to another machine, you need to use the command --export-secret-keys to export the secret keys (and only them). --import will just fine import secret keys. Salam-Shalom, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Version 0.3 of GPGee Available
On Thu, 07 Apr 2005 00:32:31 -0600, Kurt Fitzner said: p.s. btw... I suppose I should ask if these type of announcements are kosher for this mailing list? As long as it is Free Software those annoucnements are welcome. If you want to post it to [EMAIL PROTECTED], just go ahead and drop me a note so I can approve it. Shalom-Salam, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP Smartcard Advantages
On Mon, 11 Apr 2005 10:08:10 -0700, David said: 1. What are the advantages of this smartcard for storing my keys over other external media (especially if connected to an unsafe computer)? Without physical access to the card it is not possible to extract the keys. With physical access it is hard to do do, expensive and destroys the card. 2. Is the signing / encrypting done inside the card or the computer? (If connected to a compromised computer access to my private key can compromise the key itself.) Signing and decrypting is done inside the card. The only thing a malicious host can do is to lock the card (by sending several times a wrong PIN) and to trick you into signing or decrypting data. Salam-Shalom, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP card and BasicCard
On Wed, 13 Apr 2005 09:08:24 +0200, Christian Rank said: according to a notice at www.basiccard.com, the BasicCard manufactured by ZeitControl cardsystems GmbH should support the OpenPGP smartcard specification. Are the OpenPGP cards sold by kernelconcepts.de such BasicCards? The cards are build upon the Basiccard OS but they are not a freely programmable Basiccard. Note, that Zeitcontrol's cards with RSA encryption are not available to end users (probably due to fear of litigation coming from pay TV companies; those using the security by litigation crypto algorithm). Zeitcontrol's page is somewhat misleading, claiming OpenPGP select the Shalom-Salam, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Encrypt with public key from stdin/file possible?
On Wed, 13 Apr 2005 14:19:04 +0200, Sargon said: like to feed gpg w/o importing it first in its public keyring and afterwards specify the ID of the public key. According to my researches on the net and on the gnupg.org site, there's no way to do this though. Can anyone confirm this? That's right. Shalom-Salam, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP card and BasicCard
On Thu, 14 Apr 2005 08:20:13 +0200, Christian Rank said: So the OpenPGP cards are ZeitControls's BasicCards with RSA encryption and the OpenPGP application loaded and put in state 'RUN' (no further programming of the card possible)? Exactly. What I'm missing from the OpenPGP card is the ability to load a PCKS#15 structure on the card. This would make it possible to use this card not No way. There is a reason why we did this simple design. pkcs#15 is a compex thing with a lot of incompatibilities between implementations. only for signing and encryption, but also for WWW authentication with client certificates. Is something like that planned in the future? There is a vague plan of writing a pkcs#11 library using the card as actual crypto token. Most likely this library will speak to scdaemon via gpg-agent and thus support a variety of cards - including native pkcs#15 cards. AFAIK, there is pkcs#15 emulation code in OpenSC for our card. Not sure whether it is still functional; Olaf Kirch once wrote it and told me that he succeeded in using the card. Salam-Shalom, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP card and BasicCard
On Fri, 15 Apr 2005 07:45:23 +0200, Christian Rank said: operations without success, but that may be due to the fact that I have an OpenPGP card version 1.1, while the OpenSC support is for version 1.0. That does not better. The changes in 1.1 are: 4 new data objtecs - OpenSC does not know about this such they can't disturb. The public key may now be readout without presenting CHV3 first - it doesn't matter if you present it anyway. So I can't see a reason why 1.1 should make any difference. Salam-Shalom, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP Smartcard with Cygwin
On Thu, 31 Mar 2005 16:20:29 +0200, Peter L Smilde said: I tried installing pcsc-lite from their website, but this only installs a libpcsclite.a and libpcsclite.la. How do I get the Smartcard working under Cygwin? I found no information on this topic (OpenPGP smartcard cygwin) in the web. You may want to try the option --pcsc-driver winscard.dll Not sure whether this works. Better use a plain gpg build for Windows. Under Windows itself the OpenPGP card works fine. (Except, that when no card is inserted in the (SCR335) card reader while signing an error window pops up telling that Die Anweisung in 0x7c9211de veweist auf Speicher in 0x Der Vorgang read konnte nicht auf dem I have done some debugging and it seems that it is indeed a driver problem. Salam-Shalom, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Clearing passwords in agent
On Wed, 20 Apr 2005 14:40:34 -0700 (PDT), Bluthgeld said: 1. Is it possible to clear all passwords in agent regardless its ttl, without killing it? I mean something like ssh-add -D? pkill -HUP gpg-agent 2. Is it possible to force agent to reload its configuration from file given primarily with --options? Same as above. However, not all options are reloaded. opt.quiet = 0; opt.verbose = 0; opt.debug = 0; opt.no_grab = 0; opt.pinentry_program = NULL; opt.scdaemon_program = NULL; opt.def_cache_ttl = DEFAULT_CACHE_TTL; opt.max_cache_ttl = MAX_CACHE_TTL; opt.ignore_cache_for_signing = 0; opt.allow_mark_trusted = 0; opt.disable_scdaemon = 0; The above list shows the options which are changeable at runtime, others are ignored. The actual option names are similar to the above variable names. I'll add notes to the manual. Salam-Shalom, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: fixing a corrup keyring
On Tue, 19 Apr 2005 10:55:07 +0200, folkert said:
Hi,
I have a keyring with quiet a few keys (thousands) and now something
is wrong with it:
gpg --list-keys gives
gpg: O j: mpi crosses packet border
It is unfurtune that gpg bails out immediately in this caase. In fact
it is not a bug (this is what the Ohhh j shall indicate) but
currupt input data. I have not created a test case yet but changed
the code to fail mopre gracefully. This won't help too much I fear
but it is a first step to a recovery mode.
Please apply the attached patch against 1.4.1 or CVS.
Salam-Shalom,
Werner
2005-04-21 Werner Koch [EMAIL PROTECTED]
* mpicoder.c (mpi_read): Changed error detection to always return
an error while maintaining the actual number of bytes read.
--- mpi/mpicoder.c 20 Dec 2004 10:05:20 - 1.33
+++ mpi/mpicoder.c 21 Apr 2005 13:21:15 -
@@ -1,5 +1,5 @@
/* mpicoder.c - Coder for the external representation of MPIs
- * Copyright (C) 1998, 1999 Free Software Foundation, Inc.
+ * Copyright (C) 1998, 1999, 2005 Free Software Foundation, Inc.
*
* This file is part of GnuPG.
*
@@ -74,20 +74,23 @@ mpi_read(IOBUF inp, unsigned *ret_nread,
#endif
{
int c, i, j;
+unsigned int nmax = *ret_nread;
unsigned nbits, nbytes, nlimbs, nread=0;
mpi_limb_t a;
MPI val = MPI_NULL;
if( (c = iobuf_get(inp)) == -1 )
goto leave;
-nread++;
+if (++nread = nmax)
+goto overflow;
nbits = c 8;
if( (c = iobuf_get(inp)) == -1 )
goto leave;
-nread++;
+if (++nread = nmax)
+goto overflow;
nbits |= c;
if( nbits MAX_EXTERN_MPI_BITS ) {
- log_error(mpi too large (%u bits)\n, nbits);
+ log_error(mpi too large for this implementation (%u bits)\n, nbits);
goto leave;
}
@@ -108,6 +111,15 @@ mpi_read(IOBUF inp, unsigned *ret_nread,
for( ; j 0; j-- ) {
a = 0;
for(; i BYTES_PER_MPI_LIMB; i++ ) {
+if (nread = nmax) {
+#ifdef M_DEBUG
+mpi_debug_free (val);
+#else
+mpi_free (val);
+#endif
+val = NULL;
+goto overflow;
+}
a = 8;
a |= iobuf_get(inp) 0xff; nread++;
}
@@ -116,10 +128,11 @@ mpi_read(IOBUF inp, unsigned *ret_nread,
}
leave:
-if( nread *ret_nread )
- log_bug(mpi crosses packet border\n);
-else
- *ret_nread = nread;
+*ret_nread = nread;
+return val;
+ overflow:
+log_error (mpi larger than indicated length (%u bytes)\n, nmax);
+*ret_nread = nread;
return val;
}
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: corrupted keyring; now what is corrupted?
On Fri, 22 Apr 2005 07:17:01 +0200, folkert said: Will that also fix gpgme? It seems it has the same troubles. gpgme uses gpg, so if it is solved the problem for gpg, it also does for gpgme. Shalom-Salam, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
[Announce] GnuPG 1.9.16 (S/MIME) released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello! We are pleased to announce the availability of GnuPG 1.9.16; the development branch of GnuPG featuring the S/MIME protocol. GnuPG 1.9 is the development version of GnuPG; it is based on some old GnuPG 1.3 code and the previous NewPG package. It will eventually lead to a GnuPG 2.0 release. Note that GnuPG 1.4 and 1.9 are not yet in sync and thus features and bug fixes done in 1.4 are not available in 1.9. *Please keep on using 1.4.x for OpenPGP*; 1.9.x and 1.4.x may be installed simultaneously. You should use GnuPG 1.9 if you want to use the gpg-agent or gpgsm (the S/MIME variant of gpg). The gpg-agent is also helpful when using the stable gpg version 1.4 (as well as the old 1.2 series). This is mainly a bug fix release but comes with some new features as well: * gpg-agent does now support the ssh-agent protocol and thus allows to use the pinentry as well as the OpenPGP smartcard with ssh. * New tool gpg-connect-agent as a general client for the gpg-agent. * New tool symcryptrun as a wrapper for certain encryption tools. * The gpg tool is not anymore build by default because those gpg versions available in the gnupg 1.4 series are far more matured. Please get it from the mirrors as listed at http://www.gnupg.org/download/mirrors.html or direct from ftp.gnupg.org: ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.9.16.tar.bz2(1667k) ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.9.16.tar.bz2.sig or as a patch against the previous release: ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.9.15-1.9.16.diff.bz2 (108k) You will also need to get a new libksba (the X.509 and CMS parser): ftp://ftp.gnupg.org/gcrypt/alpha/libksba/libksba-0.9.11.tar.bz2 (443k) ftp://ftp.gnupg.org/gcrypt/alpha/libksba/libksba-0.9.11.tar.bz2.sig a patch is also available: ftp://ftp.gnupg.org/gcrypt/alpha/libksba/libksba-0.9.10-0.9.11.diff.bz2 (112k) GnuPG 1.9 makes use of a separate tool for CRL checking, this is called the Dirmngr. We have also released a new version of it and we suggest to update to that release: ftp://ftp.gnupg.org/gcrypt/alpha/dirmngr/dirmngr-0.9.2.tar.bz2 (463k) ftp://ftp.gnupg.org/gcrypt/alpha/dirmngr/dirmngr-0.9.2.tar.bz2.sig as usual we also provide a patch: ftp://ftp.gnupg.org/gcrypt/alpha/dirmngr/dirmngr-0.9.1-0.9.2.diff.bz2 (16k) SHA-1 checksums for the above files are: 7e470baf9a91221342af5aad57319329bf983a3a gnupg-1.9.16.tar.bz2 5a296cd8788f7fe2495bc014f8e19a4d2a000dc8 gnupg-1.9.15-1.9.16.diff.bz2 0dc8a41b3165404ccdb0e4a3701412f7cc625b11 libksba-0.9.11.tar.bz2 9805a08fd74b64c23262d31b741b12b0a59f04b2 libksba-0.9.10-0.9.11.diff.bz2 0e8377deb78408b9081681ea1437667cc3c5b77e dirmngr-0.9.2.tar.bz2 5f02bd2a9c5ac9214e0412d48d8d5342e230a2b0 dirmngr-0.9.1-0.9.2.diff.bz2 Happy hacking, Werner -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) iEYEARECAAYFAkJnxRgACgkQYHhOlAEKV+3RUgCeKeZvWsVNJDK5Mm5GKRmTzPjL /sMAoLmKF4+61cYHk/NxKUlmqUxSIq2T =yxLM -END PGP SIGNATURE- -- g10 Code GmbH http://g10code.com AmtsGer. Wuppertal HRB 14459 Httenstr. 61 Geschftsfhrung Werner Koch D-40699 Erkrath -=- The GnuPG Experts -=- USt-Id DE215605608 ___ Gnupg-announce mailing list [EMAIL PROTECTED] http://lists.gnupg.org/mailman/listinfo/gnupg-announce ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpgme list secret keys
On Sun, 24 Apr 2005 22:11:01 +0200, Matthijs Mohlmann said:
err = gpgme_op_keylist_start(ctx, NULL, 0);
Replace the 0 by a 1 to list only keys where a secret key is
available.
while (!err) {
uid = key-uids;
subkey = key-subkeys;
printf(%s: %s %s\n, subkey-keyid, uid-name, uid-email);
err = gpgme_op_keylist_next(ctx, key);
}
That should be:
while (!err !(err = gpgme_op_keylist_next(ctx, key)))
{
uid = key-uids;
subkey = key-subkeys;
printf(%s: %s %s\n, subkey-keyid, uid-name, uid-email);
gpgme_key_unref (key);
}
Salam-Shalom,
Werner
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg --batch --no-tty --gen-key
On Sat, 30 Apr 2005 01:03:49 -0700 (PDT), wolfe said: gpg --no-tty --export-secret-keys --armor '$EMAIL' $IDENT.sec.asc gpg --no-tty --export --armor '$EMAIL' $IDENT.pub.asc Do you really have a key with the string '$EMAIL' in a user ID? I guess what you want to use is gpg --batch --no-tty --export --armor $EMAIL $IDENT.pub.asc Note the double quotes. Salam-Shalom, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GPG error code with successful signing operation
On Thu, 28 Apr 2005 00:11:20 -0500, Alex L Mauer said: When GPG is set to use the gpg-agent but the gpg-agent is not available (error message gpg-agent is not available in this session or can't connect to `/path/to/non-existent-pipe': No such file or directory), it produces a fatal error code of 2 even if the passphrase is successfully You have set $GPG_AGENT_INFO and --use-agent but for some reasons the daemon died or is not available. This is indeed something to investigate and thus flagged as a real error. Please give version numbers and the exact error strings you see when sending bug reports. Shalom-Salam, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: decrypting large files failes
On Tue, 03 May 2005 10:34:28 +0200, Daniel Musketa said: Is there a size limit for creating gpg files? In general no. However there might be a problem with the Windows version. There is a workaround which will work for sure: gpg -e message message.gpg gpg message.gpg message This way gpg does not know about the files but takes any input of any size and pipes it to the output. Opening the files and the redirection is done by Windows (cmd.exe). Shalom-Salam, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: KMail and smartcard
On Tue, 24 May 2005 06:41:24 +0200, Chris said: How can I use the smartcard in KMail? I cannot choose its keys in the Identity management. Does gpg -K list your key? This is what Kmail displays. You are using a decent Kmail (with all the crypto tabs in the configuration dialog and the requirement for gpg-agent)? Using a key from the harddrive does work without problems. For gpg it makes no difference whether the key is on the disk or on the card. This is because we create a stub- secret key for every card key. gpg -K will show you the serial number of the cards associated with that secret key. If you generated the card key on another machine, please run gpg --card-status once on the new machine to create such a stub key. Shalom-Salam, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Timing attack against AES
Hi! Ryan, thanks for explaining this. I agree with you. Let me add that this is a classical type of side-channel attack and nothing really new. It is a general problem to hide things from other processes when sharing hardware. It is possible to make it hard but there won't never be perfect solution on a general purpose computer. Disallowing access to fine grained timing facilities will somewhat help but is inconvenient for other applications. If one really cares about security, running any unrelated process to the encrytion software is dangerous as it opens a lot channels to snoop keys. For public key encryption it is in most cases not that critical because only the session keys are at stake and there are easier ways to get to the plaintext. Using private keys (i.e. decrypting or signing messages) on a multi-user box is something one should avoid under all cases because a compromise is not limited to one or several sessions but extends to the past and future use of that key. If you have really valuable things, better use dedicated hardware hardened to protect keys. Today this may even require changes at the lowest levels to replace the simple true/false logic elements. There are many papers on how to harden smartcards and HSMs against side channel attacks and those techniques are already in use. One interesting question with the recent AES and Hyperthreading RSA attacks is whether they can be used to poke holes into forthcoming Digital Restriction Management systems (TCPA et al.). The Fritz chip might be up to what the card industry has learned the hard way but those systems also need to do many crypto things by trusted software on a general purpose CPU. Shalom-Salam, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: possible to encrypt message from pubkey gotten from ssl cert?
On Sun, 22 May 2005 15:07:57 -0700, Alex Liberman said: is it possible to extract public key from ssl cert (actually have already got that far), and then use gpg to encrypt message using that public key? THx Yes. It is whoever some work. With the integration of ssh keys, X.509 certs and smartcards in the GnuPG 1.9 CVS, most code snippets should be available. However they are not connected in a way to allow what you want to do. BTW, Hal Finney posted a description on how PGP Corp. does this to the OpenPGP WG (ietf-openpgp at imc.org) on 2005-04-12. My plans actually head into the other direction: Take an OpenPGP key and create an X.509 certificate from it. This is easier because OpenPGP has that feature of subkeys and thus it is better suited to act as a general type of key repository. Salam-Shalom, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: RC2
On Tue, 24 May 2005 18:35:45 +0200, Alexander Hoffmann said: (rfc2268.c), but it will not be compiled (i concluded it from libgcrypt-config --algorithms output). What should i do to get the RC2 There might be a bug in libgcrypt-config --algorithms. However there is no need to do any special. A plain ./configure make will build the rfc2268 cipher - gnutls actually depends on it. Salam-Shalom, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Signing and Encrypting of attachments with Content-Type: message/rfc822
On Tue, 31 May 2005 14:45:05 +0200, Sascha Kiefer said: have attachment of Content-Type: message/rfc822? The easiest way is to use PGP/Mime? But is it decodeable by anybody? Are MS Outlook can't cope with it. Every other MTA with a full MIME implementation should be able to handle it. Shalom-Salam, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GnuPG Clearsign vs. PGP/MIME Signing
On Sun, 05 Jun 2005 11:36:32 +0200, Martin Geisler said: I don't know how Outlook (not Express) handles things. It won't be possible to verify a signature with Outlook due to the fact that it is not possible to get to the raw MIME headers. It might be possible to write a plugin which uses heuristics to verify signatures in most cases. We, g10 Code, are considering to implement this in the new plugin we are working on. Salam-Shalom, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GnuPG Clearsign vs. PGP/MIME Signing
On Sun, 5 Jun 2005 13:45:30 +0200, Kiefer, Sascha said: Well, as far as i see there is no difference between the MIME format of rfc2015 and rfc3156. Correct, 3156 has only minor clarifications. So, what is right? RFC like: Content-Type: multipart/signed; micalg=pgp-md5 protocol=application/pgp-signature; boundary=bar Correct. Or (enigmail like) Content-Type: multipart/mixed; boundary=foo Wrong. IIRC this is a workaround due to problems with the Mozilla code. Enigmail users should nag the Mozilla hackers to provide a working and useful interface to MIME and don't hardcode S/MIME. But what should i generate? The first of course. Shalom-Salam, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GnuPG Clearsign vs. PGP/MIME Signing
On Mon, 06 Jun 2005 16:16:54 +0200, Sascha Kiefer said: The PGP/MIME RFC states that you can first sign and then encrypt the mail. Doing this on the MIME level allows you to easily strip the encryption layer while leaving the signature intact. In S/MIME it is allowed to first encrypt and then sign the message. Do you think it's feasible to do the same in PGP/MIME? I think it is Yes it is possible but you should not do it. When signing an encrypted document you don't know what you are actually signing and it won't be possible to keep the signature intact (e.g. archival purposes) without compromising the encryption key. Salam-Shalom, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Set date for signature to expire
On Wed, 08 Jun 2005 02:09:59 +0200, Per Tunedal Casual said: Issuers of X509 certificates use 1 year for soft certificates and 5 years for card certificates. I don't know their calculations behind that decision. That is a different thing: It is the expiration time of the key; something one should really set and is has been in gpg since the beginnings. Key-signatures are different and there is no counterpart in X.509. Shalom-Salam, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: ftp.gnupg.org down?
On Tue, 14 Jun 2005 05:08:45 -0700, Erpo said: I can connect, but I can't get any sort of login prompt. +1 data point. Its up again. The problem is that the server leaks file descriptors and have still not being able to nail the problem down. I guess I need to switch to a newer kernel. Salam-Shalom, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Corrupt keys
On Sat, 18 Jun 2005 18:28:59 +0930, Alphax said: Recently, I discovered the following message on GPG startup: gpg: signature packet without timestamp gpg in general needs the timestamp of the signature to figure out the latest signature. However when the signature is not used we should not throw an error and let gpg return failure. I changed it to a warning onlu message. Shalom-Salam, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: SmartCard doesn't work
On Sun, 19 Jun 2005 21:30:11 +0200, Ralf Cordes said: card the next day nothing worked. Neither my new PINs nor the PINs which came with the card. I also wrote a mail to KernelConcepts but got no reply. What does the gpg --card-status show? Now I have a nice card without function. Is there a possibility to clear everything on the card? Even the PINs? No. Salam-Shalom, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: SmartCard doesn't work
On Mon, 20 Jun 2005 11:26:32 +0200, Ralf Cordes said: PIN retry counter : 3 0 3 That is not a real problem. The CHV2 tries have been used up. In general CHV1 and CHV2 are synced however when you enter a wrong PIN the corrsponding CHV's retry counter gets decremented. Please check why you entered the wrong PIN before restting the retry counter. The factory default PIN is 123456 without the quotes. To reset the PIN counter, enter on the command line: gpg --card-edit then admin then passwd and the select 2 for unblocking the PIN. You are then asked for the Admin PIN (CHV3); the factory default for it is 12345678. Enter it and check whether the counters are all back to 3 by ysing the command list. If you are bnot sure of the AdminPIN anymore, don't keep on trying but check the used software first and think hardwhether you really changed the ADminPIN or whether it is still at the default value. Salam-Shalom, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: New Outlook Plugin .99.1 (Beta) - works great!
On Mon, 20 Jun 2005 09:08:30 -0400, Jason Markley said: However.I can't seem to get the plugin to work with outlook. It crashes every time I try to decrypt or encrypt an email. Also, there's no toolbar buttons on the main outlook window (for those of us that use the preview-pane). Are there special usage or install Thanks for the report. Please note that we are working on that thing and that it has not undergo any serious testing yet. Shalom-Salam, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
[Announce] GnuPG 1.9.17 (S/MIME and gpg-agent) released
Hello! We are pleased to announce the availability of GnuPG 1.9.17 - the branch of GnuPG featuring the S/MIME protocol. You should consider using GnuPG 1.9 if you want to use the GPG-AGENT or GPGSM. The GPG-AGENT is also helpful when using the stable GPG version 1.4 or if you want to check out its ssh-agent replacement feature. GnuPG 1.9 is the current development version of GnuPG. Despite of that, most parts (in particular GPG-AGENT and GPGSM) are considered ready for production use. Please keep on using GnuPG 1.4.x for OpenPGP; 1.9 and 1.4 may - and actually should - be installed simultaneously. This release features a partly rewrite of the smartcard access code as well as several bug fixes and enhancements. Noteworthy things are: * gpg-connect-agent has now features to handle Assuan INQUIRE commands. * Internal changes for OpenPGP cards. New Assuan command WRITEKEY. * GNU Pth is now a hard requirement. * [scdaemon] Support for OpenSC has been removed. Instead a new and straightforward pkcs#15 modules has been written. As of now it does allows only signing using TCOS cards but we are going to enhance it to match all the old capabilities. * [gpg-agent] New option --write-env-file and Assuan command UPDATESTARTUPTTY. * [gpg-agent] New option --default-cache-ttl-ssh to set the TTL for SSH passphrase caching independent from the other passphrases. You may download it from one of the mirrors as listed at http://www.gnupg.org/download/mirrors.html or direct from the master server ftp://ftp.gnupg.org: ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.9.17.tar.bz2(1709k) ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.9.17.tar.bz2.sig or as a patch against the previous release: ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.9.16-1.9.17.diff.bz2 (150k) You will also need to get a new libassuan (our IPC library): ftp://ftp.gnupg.org/gcrypt/alpha/libassuan/libassuan-0.6.10.tar.gz (252k) ftp://ftp.gnupg.org/gcrypt/alpha/libassuan/libassuan-0.6.10.tar.gz.sig a patch is also available: ftp://ftp.gnupg.org/gcrypt/alpha/libassuan/libassuan-0.6.9-0.6.10.diff.bz2 (5k) SHA-1 checksums for the above files are: f089490450b99263332c71f6e296a3a83b28433c gnupg-1.9.17.tar.bz2 4331d0755e50e87b3001d061f63e82e2834ffc1a gnupg-1.9.16-1.9.17.diff.bz2 18d43335494b0d38dde6d9748cbde4141f04114b libassuan-0.6.10.tar.gz 6375968684e6c7dc854dc05366c4106e5dbe30dd libassuan-0.6.9-0.6.10.diff.bz2 For help on installing or running GnuPG 1.9 you should send mail to the gnupg-users mailing list or to one of the country specific lists. See http://www.gnupg.org/documentation/mailing-lists.html . Improving GnuPG is costly, but you can help! We are looking for organizations that find GnuPG useful and wish to contribute back. You can contribute by reporting bugs, improve the software, or by donating money. Commercial support contracts for GnuPG are available, and they help finance continued maintenance. g10 Code GmbH, a Duesseldorf based company owned and headed by gpg's principal author, is currently funding GnuPG development. We are always looking for interesting development projects. Happy hacking, Werner -- Werner Koch [EMAIL PROTECTED] The GnuPG Expertshttp://g10code.com Free Software Foundation Europe http://fsfeurope.org Join the Fellowship and protect your Freedom!http://www.fsfe.org pgpMJejbEH4gC.pgp Description: PGP signature ___ Gnupg-announce mailing list [EMAIL PROTECTED] http://lists.gnupg.org/mailman/listinfo/gnupg-announce ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
[Announce] Second release candidate for GnuPG 1.4.2 available
Hi! We are pleased to announce the availability of a second release candidate for the forthcoming 1.4.2 version of GnuPG: ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.4.2rc2.tar.bz2 (28Mk) ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.4.2rc2.tar.bz2.sig Alternatively a patch against the first release candidate may be downloaded from the same directory: gnupg-1.4.2rc1-1.4.2rc2.diff.bz2 (228k) A binary version build for Microsoft Windows is available at: ftp://ftp.gnupg.org/gcrypt/alpha/binary/gnupg-w32cli-1.4.2rc2.exe (1.4M) ftp://ftp.gnupg.org/gcrypt/alpha/binary/gnupg-w32cli-1.4.2rc2.exe.sig Please try it out and report any problems to the gnupg-devel or gnupg-users list (http://www.gnupg.org/documentation/mailing-lists.html). Checksums are: 42f045f7704989a07a0703885ae2d6c9d56f3bfe gnupg-1.4.2rc2.tar.bz2 1ddb8a0edeaef9c48ef7dd2bdbe191c9e01a973d gnupg-1.4.2rc1-1.4.2rc2.diff.bz2 369fd17452f788e0f290a56a0888a3525b7d58c9 gnupg-w32cli-1.4.2rc2.exe Noteworthy changes since 1.4.1: * New command verify in the card-edit menu to display the Private-DO-3. The Admin command has been enhanced to take the optional arguments on, off and verify. The latter may be used to verify the Admin Pin without modifying data; this allows displaying the Private-DO-4 with the list command. * Rewrote large parts of the card code to optionally make use of a running gpg-agent. If --use-agent is being used and a gpg-agent with enabled scdaemon is active, gpg will now divert all card operations to that daemon. This is required because both, scdaemon and gpg require exclusive access to the card reader. By delegating the work to scdaemon, both can peacefully coexist and scdaemon is able to control the use of the reader. Note that this requires at least gnupg 1.9.17. * Fixed a couple of problems with the card reader. * Command completion is now available in the --edit-key and --card-edit menus. Filename completion is available at all filename prompts. Note that completion is only available if the system provides a readline library. * New experimental HKP keyserver helper that uses the cURL library. It is enabled via the configure option --with-libcurl like the other (also experimental) cURL helpers. * New key cleaning options that can be used to remove unusable (expired, revoked) signatures from a key. This is available via the new clean command in --edit-key on a key by key basis, as well as via the import-clean-sigs/import-clean-uids and export-clean-sigs/export-clean-uids options for --import-options and --export-options. These are currently off by default, and replace the import-unusable-sigs/export-unusable-sigs options from version 1.4.1. Translators may use this release to update the PO files for inclusion in 1.4.2. See doc/TRANSLATE. Happy Hacking, David, Timo, Werner -- Werner Koch [EMAIL PROTECTED] The GnuPG Expertshttp://g10code.com Free Software Foundation Europe http://fsfeurope.org Join the Fellowship and protect your Freedom!http://www.fsfe.org pgp2CcsD2EM5d.pgp Description: PGP signature ___ Gnupg-announce mailing list [EMAIL PROTECTED] http://lists.gnupg.org/mailman/listinfo/gnupg-announce ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How to import a secret subkey?
On Tue, 21 Jun 2005 09:11:51 -0400, David Shaw said: You can't. GnuPG does not currently support merging secret subkeys. To do it, you need to delete the secret key on the second machine and re-import the whole key. We might however add this soon. IIRC most code is already there as we do something similar with card backup keys. Won't go into 1.4.2 though. At least not offically because it is strings-frozen to allow for proper and complete translations. Shalom-Salam, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How to import a secret subkey?
On Wed, 22 Jun 2005 21:08:18 +0100, Adam Funk said: I think there used to be a restriction that gpg --import secretkey.gpg wouldn't work without setting a special option. Is importing secret keys by accident no longer considered a risk? This was fixed with version 1.0.7 about 3 years ago. gpg won't set the ownertrust of an imported key; the user is expected to do it. Salam-Shalom, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: --for-your-eyes-only
On Mon, 27 Jun 2005 23:18:26 -0400, David Shaw said: However, GnuPG can call other programs to do other tasks (keyserver access programs, JPEG viewers for photo IDs), so it's not impossible that GnuPG could call an external secure viewer program. I don't know of one offhand though. Nor do I know. We planned to add such a viewer to the GPA utility and the CVS carries Marcus Kuhn's fonts for a long time - however nobody has yet found time to write a GTK+ widget to make use of this font. If there is someone with GTK+ experience and some spare time I would really appreciate to see such a feature. Shalom-Salam, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: pinpad cardreader; imported smart-card keys
On Mon, 27 Jun 2005 16:30:15 -0500, Alex Mauer said: I purchased an SCM SPR332 card reader, based on the Smartcard Howto's statement (about the SPR532) The pinpad may be used to securely enter the PIN. I have found that I cannot use the pinpad, at least not with As of now the may be means with software supporting it but not with GnuPG :-(. The longer answer is that I have worked on it and added code to the CCID driver to check this out. It works fine but there is one party missing: We need to have a mechanism t tell the upper layers that a pinpad reader is available and that the pinentry shall not be used for entering the PIN but to display a note saying: Please enter the PIN on the reader keypad. Given the demand of support for the keypad, I will start to work on it soon. From what I can google, I should be able to (re)generate the stub keys by using 'gpg --card-status'. But, this seems not to work. I need to see what happens; will get back to you later. Salam-Shalom, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: --for-your-eyes-only
On Tue, 28 Jun 2005 04:58:52 -0400, Charly Avital said: I may not understand what you mean by portable. I suppose that a secure viewer (software program) could not be nearly ported to GnuPG? GnuPG is a command line tyool which only manges text input and output and as such it is pretty portable. For a viewer you need a graphical user interface to be able to display custom made fonts. Portability is harder to achieve than with text tools but in general not a real problem. However, it is a well known paradigm on Unix to have small specialized tools and not to put every thing into one big application. A secure, or well better tempest resistent, viewer should for sure be done as a separate application or as part of a gpg frontend. I shall not discuss whether TEMPEST attacks, when targeted to CRT or LCD displays pose a real threat to encryption users (who is the targeting agent? who are the targeted/chosen users?) because I have no expertise or even reasonable knowledge of the technological aspects of that issue. See http://www.cl.cam.ac.uk/TechReports/UCAM-CL-TR-577.pdf for the theory and examples of tempest attacks. But if it is, in fact, a viable way to breach confidentiality, it is possible that GnuPG could consider to include an external secure viewer program in future developments. As a matter of fact, according to Werner's email, some work has already been done, and is included in the CVS. Well, there has not been much work done. It was planned for some later GPA releases but development of GPA more or less stopped so we are not quite where we wanted to be a long time ago. A simple text renderer as an alternative to less(1) on X would be useful for quite some applications. IIRC, GNOME has a gless tool which could be enhanced by using filtered fonts. I new text widget for GTK+ is probably the best way to achieve this. Salam-Shalom, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: --for-your-eyes-only
On Tue, 28 Jun 2005 11:16:00 +0200 (MET DST), Johan Wevers said: Which makes me think... outputting the text to a .jpg (or .gif or .png) with secure fonts shown in the picture. The picture could then be looked at in an external vieuwer. That would be completely portable. Actually a neat idea. It could be implemented as a new conversion to netpbm or ImageMagick. There is just one caveat: | Tempest protection by filtered fonts and related techniques are in the | process of being patented internationally. This demonstration font can | be copied and used freely in products for which the source code is | made freely available (see the GNU General Public License for | details). Contact the author for further information if you want to | use this technology in commercial or military products. | | This package is available from | | http://www.cl.cam.ac.uk/~mgk25/st-fonts.zip Where this - but only this - shouldn't be a problem even if the EU continues to ignore the will of its citizens and national parliaments in next week's parliament reading on software patent. Shalom-Salam, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: pinpad cardreader; imported smart-card keys
On Tue, 28 Jun 2005 10:35:58 -0500, Alex Mauer said: As I was afraid of; perhaps the howto could be updated to clarify that We will do this. The longer answer is that I have worked on it and added code to the CCID driver to check this out. How about the SC daemon? Its the same code (source copied). Would it work to have the PIN entry still display, but if the PIN is entered on the keypad accept that and remove the PIN entry box? It is not a realy proble, we just need to pass the information to the upper layers. Plain and simple software craft. Salam-Shalom, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Equivalent to option -f ?
On Thu, 23 Jun 2005 17:40:36 +0200, Konrad Mathieu said: I have to adapt a shell script to work with GPG instead of PGP and it contains the -f option for acting like a filter. Actually, There is no need for such an option because gpg, being a good Unix citizen, does this by default. the full command is: pgp -f -ea rvsdata How do I make gpg behave exactly the same? Either: gpg -ea rvsdata or gpg -ea --output - rvsdata Salam-Shalom, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: --for-your-eyes-only
On Tue, 28 Jun 2005 23:49:54 +0200 (MET DST), Johan Wevers said: Are you saying that my idea to output a picture with tempest-resistant fonts won't couse a problem, or that even if tempest-resistant fonts are patented only the fonts from the above URL can be used for this purpose? In case swpats gets legalized in EU it won't be possible to write free tempest resistant viewers. The exception are viewers available under a copyleft license (like the GPL) using the mentioned specific font. Salam-Shalom, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: --for-your-eyes-only
On Wed, 29 Jun 2005 10:55:02 +0200, Janusz A Urbanowicz said: Some form of secure viewer was present in PGP 2.3 and 2.6 which were FLOSS. Huh, that's new to me. Both versions are pure command line tools without a graphical part. No way to make use fo filtered fonts. I am not sure what kind of software you collect untder the term of FLOSS; if you mean Free Software, PGP has never been Free Software despite what many people claimed. Unless they patented it (sigh) it can be renginered back to the GPG, like Photo-IDs. Photo IDs are a feature of PGP6 and now OpenPGP. Salam-Shalom, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: --for-your-eyes-only
On Wed, 29 Jun 2005 16:54:39 +0200, Janusz A Urbanowicz said: The aim of the secure viewer then was to make difficult to obtain eyes-only message text as a file or a pipe. It checked if output is a live tty, Okay, that is something different. I was solely speaking of a tempest resistant viewer - the kind of thing PGP 6 named secure viewer(/ing mode). Software that was distributed under GPL: pgp 2.3 and 2.3a. And pleaase don't That's right. However these are AFAIK the only versions under the GPL without restrictions. The widely used 2.6* versions are under a non free license diasllowing to change certain parts of the software or to distribute only parts of it. let the discussion slip in legalese tetrapiloctomisation. http://fsfeurope.org/documents/whyfs.html My point exactly, excapt that secure viewer needs not to be defined in the protocol RFC. In fact there used to be a long discussion whether to keep the for-your-eyes-only feature in OpenPGP or to drop it. It does not belong into the standard as OpenPGP defines a message format and not an application. Shalom-Salam, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Out of office notifications.
On Wed, 29 Jun 2005 12:29:33 -0400, Charly Avital said: I have grown tired to receive out office notifications from [EMAIL PROTECTED] everytime I post to the list. That address is now on my junk list. I have disabled mail delivery to that account. Salam-Shalom, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: pgp keys in gnupg: IDEA need for all recipients?
On Thu, 30 Jun 2005 11:23:17 +0200, Mark Kirchner said: Yes, as long as your key requires the use of IDEA-encryption, everybody who's trying to encrypt to you has to use an IDEA-enabled Nope. IDEA is an optional algorithm in OpenPGP. All OpenPGP compliant applications will use 3DES as the default algorithm if there are no preferences defined. Obviously you can't decrypt archived messages without having IDEA. You better keep an old copy of pgp 2.6 around. When migrating to gpg the best soultion is to set the passphrase to empty using pgp2, export and import the secret key into gpg and set the passphrase again so that it gets protected using a modern algorithm. Shalom-Salam, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: --for-your-eyes-only
On Thu, 30 Jun 2005 13:34:21 +0200, Janusz A Urbanowicz said: Yes, but if the threat model involves TEMPEST, should it also involve TEMPEST from optical wavelenghts (reflected light)? I depends on your needs; closing the shutters is one solution against it. Shalom-Salam, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpa problem
On Thu, 07 Jul 2005 22:47:58 +0200, Eric Tanguy said: I have gpa 0.7.0 installed on FC4 system. When i try to search a key a window saying connecting to the server hkp://yyy please wait and that's all. I have tried all the available servers and this is always the same. gpa keep this window as long as i closed gpa. Any idea ? Try it on the command line gpg --keyserver hkp://yyy --search-keys foo if this works, the problem is in GPA. An strace (with -f) might help here. Shalom-Salam, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How to check fingerprint without importing?
On Tue, 05 Jul 2005 17:40:54 -0700, Penelope Fudd said: On this system, there are about three dozen GPG key files that can be loaded into my rpm database, and I'm pretty sure that one of them is the right one, but I don't want to load them all. Import them all. It doesn't matter becuase the trust validatiobn won't allow you to use a key which isn't trustworthy enough. How do I print out details of GPG key files (fingerprints, owner, etc) without importing them? gpg --with-fingerprint foo.asc Shalom-Salam, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Direct LDAP access
On Tue, 12 Jul 2005 20:31:15 -0500, Wes said: Hmm... That seems a bit kludgy, but certainly something to consider. I assume it would require two gpg commands - one to retrieve/import the key and one to do the encryption? I don't think this would help with accessing private keys, though? Private keys are - private and thus it is in general dangerous to keep them on an LDAP server. From your problem description I have some doubts that you are going for the correct solution. If you want to talk about this, please feel free to contact me at wk at g10code.com. Shalom-Salam, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: CRC error encrypted_mdc packet with unkown version 255
On Sun, 10 Jul 2005 09:15:45 +0200, Henk M de Bruijn said: gpg: CRC error; 4BF535 - 4F6694 The ASCII armor has been garbled somewhere on the transport. Salam-Shalom, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: clearsign destroys files
On Thu, 14 Jul 2005 12:48:58 +0200, Tobias Roth said: gpg --clearsign -o signed.pdf original.pdf You can't clearsign binary data. Shalom-Salam, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: smart card + gpg only root
On Tue, 19 Jul 2005 13:05:16 +0200, Federico Munerotto said: My user is the group scard but as long as only the root user can have access to the smart card it remains useless. I think it is a trivial permission issue: any help? With the Debian packages of pcscd anyone may connect to a running pcscd and access the reader. Use pcsc_scan to see whether the pcscd is working. You might also want to start pcscd in the foreground pcscd -f -d to better see what's going on. A workaround would be telling evolution to use sudo gpg instead of gpg, but there isn't a way to do that. Don't even think of doing this. As explained in the HOWTO (at www.gnupg.org) you might also want to check whether the gpg onternal driver works for you (gpg 1.4.2rc2). When building gpg, just make sure that libusb development files have been installed. The follow the Howto to setup the permissions properly. gpg --debug-ccid-driver might then be helpful. Shalom-Salam, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: receiving key to file and more
On Wed, 20 Jul 2005 12:02:24 +0200, Sascha Kiefer said: 1. is it possible to receive a key to a file instead of to the keyring? No. You may however use the helper tools directly. 2. what is the difference between --search-keys and --recv-keys ? --search keys presents a list of macthing keys whereas --recv-keys will return the key matching the keyID. Shalom-Salam, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: smart card + gpg only root
On Wed, 20 Jul 2005 13:13:00 +0200, Federico Munerotto said: gpg: DBG: ccid-driver: usb_claim_interface failed: -1 The USB device can't be accessed. This is a permission problem with the usbfs. (ID=058F:9520:X:0) Use lsusb to figure out the device like: $ lsusb Bus 002 Device 001: ID : Bus 001 Device 001: ID : Bus 001 Device 002: ID 058f:9254 Alcor Micro Corp. Hub Bus 001 Device 011: ID 046d:0a02 Logitech, Inc. Bus 001 Device 014: ID 04e6:e003 SCM Microsystems, Inc. You should find a line with the ID 058F:9520. Assuming this is the 6th line you now do a: $ ls -l /proc/bus/usb/001/014 -rw-rw-r--1 root scard18 Jul 20 11:13 /proc/bus/usb/001/014 The above is correct but I guess that the permissions are not correct for you. If setup as suggested by the HOWTO then the hotplug scripts should take care of it. Soem systems have a bug in the scripts and require a 0x0 instead of a just a 0. If you used the scripts verbatim you should fix them: # Generic CCID device gnupg-ccid 0x0080 0x00x00 0 0 0 0x00 0x0B 0x00 0x00 0x # SPR532 is CCID but without the proper CCID class gnupg-ccid 0x0003 0x04e6 0xe003 0 0 0 0 0x00 0x0B 0x00 0x00 0x # SCR33x is CCID but without the proper CCID class gnupg-ccid 0x0003 0x04e6 0x5115 0 0 0 0 0x00 0x0B 0x00 0x00 0x to # Generic CCID device gnupg-ccid 0x0080 0x0 0x0 0x0 0x0 0x0 0x0 0x00 0x0B 0x00 0x00 0x [Yes, I need to upload a revision of the HOWTO.] The change above should be sufficient. If this all does not work you might want to manually chmod and chgrp the device for now and then figure out what's wrong with the hotplug scripts. If you made this reader work for you, please tell me the type so that I can put it into our list of verified readers. hth, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: smart card + gpg only root
On Wed, 20 Jul 2005 16:27:04 +0200, Federico Munerotto said: if the device is unplugged and then plugged again, belongs again to the root group and isn't writable again (change its location). I need to set up hotplug to 1. chgrp to the proper group 2. chmod +rw scard the file that is created. You needs to debug the hotplug script. Here are the scripts I am using: # The entries below are used to detect CCID devices and run a script # # USB_MATCH_VENDOR 0x0001 # USB_MATCH_PRODUCT 0x0002 # USB_MATCH_DEV_LO 0x0004 # USB_MATCH_DEV_HI 0x0008 # USB_MATCH_DEV_CLASS 0x0010 # USB_MATCH_DEV_SUBCLASS0x0020 # USB_MATCH_DEV_PROTOCOL0x0040 # USB_MATCH_INT_CLASS 0x0080 # USB_MATCH_INT_SUBCLASS0x0100 # USB_MATCH_INT_PROTOCOL0x0200 # # script match_flags idVendor idProduct bcdDevice_lo bcdDevice_hi # bDeviceClass bDeviceSubClass bDeviceProtocol # bInterfaceClass bInterfaceSubClass bInterfaceProtocol driver_info # # flags V P Bl Bh Clas Sub Prot Clas Sub Prot Info gnupg-ccid 0x0080 0x0 0x0 0x0 0x0 0x00 0x00 0x00 0x0B 0x00 0x00 0x # SPR532 is CCID but without the proper CCID class gnupg-ccid 0x0003 0x04e6 0xe003 0x0 0x0 0x00 0x00 0x00 0x0B 0x00 0x00 0x gnupg-ccid Description: test/plain $ ls -l /etc/hotplug/usb/gnupg* -rwxr-xr-x 1 root root 724 Sep 22 2004 /etc/hotplug/usb/gnupg-ccid -rw-r--r-- 1 root root 865 Mar 16 16:08 /etc/hotplug/usb/gnupg-ccid.usermap Remember to chmod +x gnupg-ccid. I use the group wk instead of scard, so you need to change that. Does this help? Salam-Shalom, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: PGP and Smartcards?
On Thu, 21 Jul 2005 12:25:49 +0200, Felix E Klee said: * Can I use GnuPG for signing and decryption with a smart card and 2048 bit RSA keys? What limitations do I have to expect, if any? Cards able to to generate and use 2k RSA keys are not easily available. This will change in a year or so. State of the art is still 1k RSA. * Personally, I currently favor the Axalto Cryptoflex 32k. But is there any card that you recommend? (I know that there's the OpenPGP card but it only supports keys up to 1024 bits - not an option.) gpg only supports the OpenPGP card specification. You are free to implement it on your card. * Why was OpenSC removed with development version 1.9.17 of GnuPG? From a software developer's point of view it just doesn't make sense to ditch an existing and supposedly well working library that provides a * OpenSC is a huge and complex library with an ever changing API and often hidden ABI changes. It just makes too much trouble. * It requires your application to use pthreads with conflicts with the use of another threading library; GNU Pth in our case. * We only need to _read_ PKCS#15 structures and not to _create_ them. This it is actually pretty easy to implement. PKCS#15 has intentionally been designed to ease things. standardized interface (PKCS#11) and whose license (LGPL) is compliant with the license of the GnuPG. Not really: You need to build OpenSC without OpenSSL support. Otherwise you put additional restrictions on any GPL program linking to OpenSC - which is not compatible to the GPL. Frankly, I don't understand why the OpenSC folks still do this. I complained about this several times in the last years and it is one of the reasons why I stopped working on OpenSC (I wrote the the support for TCOS and MICARDO). * If not GnuPG, what free software alternatives are there for doing PGP signing and decryption with a smart card? I don't know. For me the smartcard support works pretty well and I know quite some people who are using it day by day for email and to mount encrypted file systems. Salam-Shalom, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: PGP and Smartcards?
On Fri, 22 Jul 2005 19:01:57 +0200, Felix E Klee said: OpenPGP cards with 2048 bit keys don't seem to be available at all. However, ordinary ISO 7816-4 compliant smart cards are available through online outlets. For example CryptoFlex and CyberFlex cards can be Good luck getting a secure and fast 2k RSA card. Uh, I guess this would cost me too much time. One solution, though, would be to buy a JavaCard and try to run and enhance the OpenPGP Java implementation that was started by Zeljko Vrba [3]. Java cards do have some restrictions which don't allow to implement ISO commands. A simpler solution, though, would probably be porting code for accessing an Axalto CryptoFlex 32k to GnuPG, or helping fork a clean PKCS#11 library from OpenSC and interfacing it to GnuPG. But before thinking We won't support pkcs#11 becuase it is not a standard but a way to interconnect proprietary applications using proprietary extesions to pkcs#11. Can the crypto capabilities on an ISO 7816-4 compliant card actually be used for doing PGP? -4 does not define asymmetric crypto. You want -8. The OpenPGP card ISO 7816-8 compliant. The thing is: All that I need is a card that can securely store a (private) RSA key and that can encrypt and decrypt data with this key. Well, I am using that for a long time now and the latest gpg releases work pretty well. However it you want 2048k RSA I have no instant solution; OTOH the card is for sure not the weakest link and 1024 RSA is still far out of scope of any attack. Salam-Shalom, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: PGP and Smartcards?
On Fri, 22 Jul 2005 22:42:20 +0200, Zeljko Vrba said: I would disagree on that. Java Card is totally programmable and if you want you can implement the complete ISO7816 command set (as far as the Sorry, this is was a misinterpretation by me. hardware permits, of course). The downside is that you will have to implement your own filesystem, etc, but it is doable. Well for the OpenPGP card you don't need any filesystem as we onjly use the get/put data commands. Thus a simple offset,length table is what you need. Well, you know that of course. Why I didn't finish the development - because I've found some discrepancies between the GPG code, OpenPGP card spec and the PKCS#1 Care to elaborate on this? I am still interested to have reference implementation for java card although I can't help very much with the implementation but I know all the details of the specs and have some knowledge of the gpg code. Salam-Shalom, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg doesn't know
On Sun, 24 Jul 2005 23:58:13 +0400, Vladimir N Kutinsky said: Does anyone know what it means? gpg: CRC error; 92501E - 300D6B gpg: [don't know]: invalid packet (ctb=2b) The input data is garbled. Transmission error or the usual ascii vs. binary FTP problem. Salam-Shalom, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: PGP and Smartcards?
On Fri, 22 Jul 2005 23:42:39 +0200, Felix E Klee said: Your wording implies that the cards I mentioned aren't both secure and fast. Any pointers? No, I was just not aware that they support 2k RSA and key generation in particular. My (old) specs don't say so. isn't that interesting, though. The point is that AFAICS PKCS#11 clearly defines an API, and perhaps it may become an ISO standard in the No it does not define a clean API. Almost everyone is using proprietary extensions and I don't consider that a standard. It is a complex specification targeted to allow some interoperabilty between proprietary applications. With Free Software we are not bound to some of these stupid things. If we would try to support all pcks#11 supported tokes we need to add a lot of extra code to gpg to cope with minor pecularities of the tokens. And well, complexity is the worsest enemy of security. Framework or openCryptoki (unfortunately those two feature GPL incompatible licenses but who says that this won't change?). Experience? Missing copyright assignments, lost contact to the authors? About the weakest link: For a master key the length of the key may well be the weakest link if the master key is stored away in a safe place and if it is only used once in a while on reasonably tamper proof systems Unless you have real physical security with guards, barbed wire, 2m concrete walls I really doubt that. Hiring a burgler or a gunman is far out cheaper than to break one key - even if it is a CA key for a small or medium domain. Shalom-Salam, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: libcrypt and RC2 revisited
On Tue, 26 Jul 2005 16:35:58 +0200, Sven Fischer said: out. Well, this seems to have a reason, since uncommenting and recompiling libgcrypt 1.2.1 let gpgsm try to decrypt the mail, but without success (it says no data). Where is the problem with this? Can I help in any way to decode the Outlook mails? IIRC, we would need to implement a variant of RC2 to allow this. And well, 40 bit RC2 keys are pretty ridiculous. Shalom-Salam, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: libcrypt and RC2 revisited
On Tue, 26 Jul 2005 19:22:06 +0200, Zeljko Vrba said: Ugh, I hope that you'll _never,ever_ allow such low-grade insecure algorithms in gpg or anything related to it, no matter what the public demand is. For sure not in an application like gpg. However for certain tools (e.g. a crypto workbench) it makes sense to have even very simple ciphers. Salam-Shalom, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: libcrypt and RC2 revisited
On Wed, 27 Jul 2005 11:32:51 +0200 (MET DST), Johan Wevers said: write a RC2 plugin if it's really needed. Or is there an easy way to add new algorithms to the current version of GnuPG that doesn't require changes in many places in the code? It is actual pretty simple but limited by the fact of OpenPGP supported algorithms. Salam-Shalom, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: libcrypt and RC2 revisited
On Thu, 28 Jul 2005 10:36:11 +0200, Zeljko Vrba said: For decryption there is no problem, of course. As for encryption.. it is Well not supporting it _might_ help the sender to realize that he is doing something strange (i.e. using a weak algorithm) but you have to have some kind of plugin for GPG, no? and GPG (except the experimental one) can't yet handle S/MIME. So linux mail readers I won't declare the S/MIME support experimental in any way. It is actually stable and in production use at several sites. It is just that gpgsm is distributed in the development branch of gpg - which is unfortunately but currently there is no solution for it. Let me repeat: gpgsm, gpg-agent and gpgconf as available in gnupg 1.9.x are stable and ready for use. You may install GnuPG 1.9 along with GnuPG 1.4 to get both: OpenPGP and S/MIME. MUAs supporting gpgsm are at least KMail and Mutt (1.5.x). Shalom-Salam, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Entropy in ascii-armored output?
On Fri, 29 Jul 2005 20:56:58 -0400, David Shaw said: cat /good/random/source | gpg --enarmor There is even an easier way: gpg --gen-random -a 1 12 Returns 16 bytes of armored random; i.e. actual 12 bytes. This uses the same algorithm gpg uses for session keys. By using 2 instead of 1 gpg will use the algorithm it uses for creating keys (i.e. it might block until enough random is available). Should should use a multiple of 3 for the number of random bytes, so that gpg won't produce padding characters. Salam-Shalom, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Problem with gcry_pk_decrypt (libgcrypt)
On Wed, 03 Aug 2005 14:33:57 +0200, Claudia Reuter said: I like to encrypt and decrypt large files e.g. pdf files. I wrote some code based on libgcrypt. I tested it with .txt files. Encryption seems to work, but gcry_pk_decrypt works only, if there's a single line in the txt file. If the txt file contains more than one line of text, the Libgcrypt is a library of cryptographic building blocks. At least a medium level of cryptographic experience is required to make use of it. The usual way to encrypt large files is by using an hybrid approach. It is simple impossible to use RSA to encrypt large blocks of data in a secure and useful way. You should better look into gpg or gpgme for your task. Salam-Shalom, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Primary certify-only key?
On Wed, 03 Aug 2005 19:26:38 +0200, Thomas Kuehne said: The problem is that I cant create the first key with only C the capability. GnuPG does not yet distinguish between C and S. So it does not make much sense to have a way of selecting this. Salam-Shalom, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Leave clearsigned content encoding alone, how?
On Thu, 04 Aug 2005 15:16:24 +0200 (CEST), Alain Bench said: Mutt half-recently began to force outgoing traditional inline PGP messages to UTF-8, disregarding the $send_charset list (in fact acting Which is IMHO a proper interpretation of the OpenPGP specs. Despite what a lot of people (from the ascii and inch dominated parts of the universe) will tell, the only sesnible way to go is by using MIME. It has been around for more than a decade and provides all feature you need for encryption and even better for proper signing. And it is so easy; you can compose MIME messages by hand without looking at the RFC. Just say no to inline PGP! SCNR, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: throughput of GnuPG symmetric ciphers
On Thu, 4 Aug 2005 08:10:00 -0500, Ryan Malayter said: My test show 7-zip yields ~228 Mbps on a 2.4 GHz P4. The only cipher available with this program is AES256 in (I believe) ECB mode. Why encrypt at all when using ECB? ECB has no use except in very very special cases. Still, it seems a bit odd that this program generates AES-256 throughput 2.78 times faster than the AES-256 implementation in GnuPG/libgcrypt on the same machine. I suppose those large lookup Brian Gladmans code is pretty good but we can't include it into GnupG for legal reasons (it is in the cintrib directory of 1.2, though) and becuase it has been optimized for specific CPUs. Yes. I'd like to see better optimized implementations but these days it is hard to do unless you know exactly what CPU will run the code; its not only about ia32, sparc, ppc. Each ia32 compatible CPU needs its own optimized implementation - a lot of work in particular if not being paid for. tables in the Gladman code really speed things up. (I would not think the extra XOR operation used in GnuPG's CFB implementation would Its not the xoring but more likely caching and alignment issues. Gladman's code uses large tables, which presumably makes it vulnerable to the recently publicized timing attacks. That should not be an issue for GnuPG, but might be for other programs that use libgcrypt. When implementing crypto systems one should never ever allow using the system as an oracle. Salam-Shalom, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Proof of email ownership
On Mon, 08 Aug 2005 00:11:26 +0930, Alphax said: Your other assumption is that everyone has continuous and unrestricted (no proxies, firewalls) internet access. I can't even get GPG to work To clarify this: It is NOT a change of the trust modeel but an optional feature. Without access to the net you can't do it but wou won't either be able to download a key. OTOH, this feature may also be implemented at a trusted upstream MTA. Salam-Shalom, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: more than one message digest per signed message?
On Sun, 07 Aug 2005 19:02:21 +0200, Thomas Kuehne said: Is it possible to use more than one message digest when signing a message with GnuPG? No. Shalom-Salam, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Proof of email ownership
On Mon, 8 Aug 2005 09:37:10 +0200, Bernd Jendrissek said: Do these TXT records support having multiple keys associated with the same email address? For example, I use D7CBA633 for everyday signing and encryption, and 24EEB426 for tin foil hat applications. No. I can be extended to allow for this. The current implementation with TXT records should be considered experimental. Shalom-Salam, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Proof of email ownership
On Mon, 08 Aug 2005 14:24:50 +0200, Simon Josefsson said: gpg: can't put notation data into v3 (PGP 2.x style) signatures [EMAIL PROTECTED]:~$ Is my key unusable with this scheme? For better compatibility with pre OpenPGP implementations, gpg creates v3 signatures with v3 keys (yours). v3 signatures can't carry notation data. Use --force-v4-sigs to override this. Salam-Shalom, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Proof of email ownership
On Mon, 8 Aug 2005 20:34:33 +0200, Marco d'Itri said: How does this interact with DKIM? DKIM does not work. For example, their canonicalization is broken and one can easily fake a MIME message. Shalom-Salam, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Arguments for inline PGP
On Tue, 09 Aug 2005 13:43:40 +0200, Thomas Kuehne said: OutlookExpress displays the message just like Mozilla or KMail without encryption plugins. Use a MIME compliant MUA and not such a spam/DoS/virus vector. Shalom-Salam, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: removing revoked or expired signatures
On Wed, 10 Aug 2005 11:48:06 +1000, Raymond said: Is it possible to remove a revocation certificate? No. Once issued they should not be removed. Shalom-Salam, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg befehle
On Tue, 09 Aug 2005 20:46:29 +0200, Holger Schüttel said: hallo bin auf diesem sektor noch absolut blank aber irgendwie funzt das eingeben der befehle nicht habe gnu1.4.2 und ich muß doch eingeben Bitte hier englisch schreiben oder aber die Liste [EMAIL PROTECTED] benutzen. Please write in English here or direct your question to [EMAIL PROTECTED] Salam-Shalom, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: deluid // why no passphrase required ?
On Thu, 11 Aug 2005 01:32:33 +0200 (MET DST), Johan Wevers said: Are uid's also stored in the secret key? I thought they only existed For historic reasons the user IDs are also stored in the secring.gpg. This is an internal detail and will eventually change. Shalom-Salam, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg-agent doesn't remember passphrase
On Sat, 13 Aug 2005 22:49:27 +0200, Tristan Miller said: gpg-1.4.0-4 gpgme-1.0.2-3 pinentry-0.7.1-4 libksba-0.9.10-3 and the version of gpg-agent is ... ? gpg-agent --version Salam-Shalom, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Install problems
On Tue, 16 Aug 2005 11:04:08 +0300, =?windows-1251?Q?=c2=e0=f1=e8=eb=e8=e9 =cf=e5=f2=f0=ee=e2?= said: Can you help me install libgcrypt under Windows platform ? I unable to use configure with Windows You need t build it on a posix system. Debian GNU/LInux is the most convenient system do do this (apt-get install mingw32) but other POSix systems should work too. Native Mingw might also work. Salam-Shalom, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: PKCS#11 support for gpg-agent
On Sat, 20 Aug 2005 17:01:04 +0300, Alon Bar-Lev said: The disclaimer at http://www.rsasecurity.com/rsalabs/node.asp?id=2133 states Its is not about the protocol but about the licenses incompatibility between Mozilla and GPL applications. AFAIK, not everything in Mozilla has the option to be used under the GPL. Since if there is none, I don't see any reason why every project should implement its own standard of smartcard structure. Because pkcs#11 is a standard to let two proprietary applications work together - that is the whole reason for that complex and very limited beast. If there will be (In the future) GPLed smartcard, it should also support PKCS#11 standard... So standard application will work... Write one; it is not hard. Or ask soneone to write it. I am calling this proprietary... You cannot use keys and certificates that were enrolled for other application. This makes the use of gpg and smartcard very difficult to manage. Nope. It is not different than with any other smartcard. The compatibility is just on another level. Can you please reconsider the PKCS#11 support, without a new agent branch? Ask me for a quote. Shalom-Salam, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP Card
On Fri, 02 Sep 2005 18:45:53 +0300, Alon Bar-Lev said: environment...) It provides a generic API to access cryptographic tokens. Most smartcard vendors, including IBM, provide PKCS#11 library that communicates with their card. Again: Feel free to provide one. The only thing you need is libassuan to connect to gpg-agent. libassuan is even under LGPL so you can use it with any kind of application - just put it into a shared library. If something should be missing in gpg-agent to implement this, I will help by adding the required facilities. However, I don't have the time to write a pkcs#11 library for gpg-agent/scdaemon for free. If this is that important for you and you don't want to do it yourself, well ask me at my company address. Shalom-Salam, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: PKCS#11 support for gpg-agent
On Fri, 02 Sep 2005 15:30:29 +0300, Alon Bar-Lev said: Most pkcs#11 stuff is not GPL compatible. But it does not say that GPLed software cannot use PKCS#11 interface in order to access none GPLed tokens! Read the GPL again and you will see that this is not possible. I am sorry to read that... I think it is a good standard... Just like any RSA Security PKCS#* standard... at least it is a standard that most programmers like PKCS#12 :-) I don't understand why you guys did not rewritten the PKCS#7, PKCS#1, PKCS#8, PKCS#9 pkcs#7 is nowadays called CMS. It is used by gpgsm. pkcs#1 is even part of OpenPGP. The whole new work of gpg 1.9 was to migrate to S/MIME... Why!?!?!?! You could have been very happy in your close PGP format world. Even if the standards are ugly, they at least work! Depends on the standard. I am responsible of replacing software/suggest correct software for using smartcards. Currently gpg is on my black list... And because of this I tried to As said in my other mail to gnupg-devel: If you have a commercial interest. talk to me about implementing pcsk#11 - but don't expect to get something for free. I have laid out the path on how to implement a pkcs#11 library to make use of gpg-agent/scdaemon as a token. It is also possible to write a pkcs#11 thingy for just that card. I don't meant to write another agent. Write a pkcs#11 driver which uses gpg-agent as its token. This is the WRONG WRONG WRONG approach!!! Well, my opinion is different. Salam-Shalom, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: PKCS#11 support for gpg-agent
On Fri, 02 Sep 2005 18:21:06 +0300, Alon Bar-Lev said: Yes... But why? What was the reason to work so hard in adding S/MIME? The answer for my opinion is that IT IS A STANDARD!!! I am sorry to correct you. No mental sane hacker would voluntary implement X.509 stupidity. The reason why we wrote gpgsm was real trivial: We have been convinced by means of money to undertake this. When PGP was invented there WAS NO standard to send and receive signed and encrypted messages, so PGP have implemented a proprietary method. PEM dates back to 1987 (rfc989) quite some years before PGP was written. Then, PGP tried to propose it as a standard... OpenPGP... But they have failed... It was not widely adopted... It may not be widely adopted but nevertheless it is the standard to make sure that confidential information can be send over the Internet. It is used all over the Net and major industry players are using it and even requring that suppkiers are using PGP. The IETF has not decided whether OpenPGP or S/MIME will be the preferred standard. No... the purpose of gpg-agent is to allow gpg to access private (secret) keys that are located in different physical location such as smartcards... From my point of view this is THE MAJOR feature of gpg-agent... The major feature is to encapsulate operations involving a private key into one modul - optionally to be run on a different device. For practical reasons gpg-agent also allows the use of smartcards. The passphrase caching is a bonus so that no second tool (like Quintuple Agent) is needed for gpg versions which are not yet able to delegate private key operations to the agent. Shalom-Salam, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP Card
On Fri, 02 Sep 2005 16:13:45 +0300, Alon Bar-Lev said: Finally someone who understand... I had no such luck with Werner Koch, who argues that OpenPGP card is standard... Well it is as much a standard as pkcs#15 is one. Who decides what a standard is? RSA Corporation defines standards known as PKCS, we define an ISO7816 compliant standard for a card, dubbed OpenPGP card. You may use this one or do it like 99% of the smartcard vendors and use a proprietary card application where the specs are in the best case only available under NDA. an approach that each application may define how its smartcard should be built. This approach like any other proprietary approach will disappear along with its software, Huh? It is not about a particular application, it just happens that gpg suuports this card. There are other application unrelated to gpg also using this card, for example the Poldi PAM. I also know of other projjects using this card - just because it is well defined and the specs are open. I don't think it is wise... There are some suitable cards that provide PKCS#11 in Linux, Please go an read the standard before talking about it: No card implements PKCS#11 because that is an API between a token provider and an application. No ISO compliant card will be able to implement PKCS#11. You might be thinking about pkcs#15 - this is indeed a standard which defines how a card application may appear to software. However there are many variants of pkcs#15, it is complicated and experience showed that it didn't helped much with interoperability. Given that card application are pretty small beasts, it seems to me far easier to add its counterpart to the host application than to hammer it into a limited framework. Salam-Shalom, Werner -- An engineer, a chemist, and a standards designer are stranded on a desert island with absolutely nothing on it. One of them finds a can of spam washed up by the waves. The engineer says Taking the strength of the seams into account, we can calculate that bashing it against a rock with a given force will open it up without destroying the contents. The chemist says Taking the type of metal the can is made of into account, we can calculate that further immersion in salt water will corrode it enough to allow it to be easily opened after a day. The standards designer gives the other two a condescending look, gazes into the middle distance, and begins Assuming we have an electric can opener - from Peter Gutman's X.509 Style Guide ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: PKCS#11 support for gpg-agent
On Fri, 02 Sep 2005 20:08:37 +0300, Alon Bar-Lev said: But it does not say that GPLed software cannot use PKCS#11 interface in order to access none GPLed tokens! Read the GPL again and you will see that this is not possible. I have... and did not find the place. Can you please refer me to the exact item where you find the restriction? It is a matter of wether something is derivative work or not. When using a library and thus using combining GPL and non-GPL code in the same process, this is in almost all cases a derivative work. Well... so what is the problem of using PKCS#11 why can you use all the other PKCS#* and cannot use PKCS#11? You are comparing apples to baskets. The taste of the apples does not necessary induce the quality of the baskets used while reaping them. Shalom-Salam, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GnuPG Large File Issues - Windows
On Fri, 2 Sep 2005 12:32:36 -0400, Jeffrey Tadlock said: 'gpg --encrypt-files -r System Administrator -z 0 filename_5.7GB_in_size' I recall that I once tested it and it used to work. However it is a long time ago so no guarantee. My current test machine has not enough space to run a test right now. What will always work is to use gpg --encrypt-files -r System Administrator -z 0 FILENAME FILENAME.GPG Note the '' and ''. Using redirection gpg won't know anything about the file seize and simply encrypt everything coming in on the stdin to stdout. Decryption work similar. Shalom-Salam, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP card and gpg-agent --enable-ssh-support
On Sat, 03 Sep 2005 01:48:30 +0200, Andreas Liebschner said: But it still asks me the actual password for the user, not the pin or the passphrase of my gpg key. So I thought I should have added some What does ssh-add -l give? You should see the fingerprint of the card's key as well as the card's number. Note that there isno actual need for gpgkey2ssh; I simply do ssh-add -L which gives me the public key directly from the card. To better debug what's going on, the first thing you should do is to run ssh -v host this will show you what keys are offered to the server and whether they worked. Also, I noticed gpgkey2ssh will always produce a ssh-rsa key, even if I pass it the CS or the E key, is this normal? Yes. Salam-Shalom, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP Card
On Sat, 03 Sep 2005 13:05:50 +0300, Alon Bar-Lev said: I am sorry if I was too harsh during this discussion, it hurts to see people inventing standards of their own thus limiting the usage of their own great software. No problem. I want to thank you for this discussion. Its always good to discuss things, it helps to get to new ideas or to reconder things. Shalom-Salam, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GnuPG Large File Issues - Windows
On Sat, 3 Sep 2005 10:02:31 -0400, Jeffrey Tadlock said: Am I typing something wrong? Here is what I typed: gpg --encrypt-files -r System Administrator -z 0 sql-db.bak sql-db.gpg Sorry, I missed that you are using --encrypt-files. This command is deifferent to --encrypt in that it takes a list of filenames from stdin or a given filename and encrypts all files given in this list. This is not what you want. use gpg --encrypt -r System Administrator -z 0 sql-db.bak sql-db.gpg Salam-Shalom, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: PKCS#11 support for gpg-agent
On Mon, 5 Sep 2005 08:35:15 +0100 (BST), Nicholas Cole said: gpg-1.9, and the thinking behind adding support for s/mime. What is the roadmap (from the point of view of users) for gpg? * The most important task is to integrate gpg 1.4 code base into gpg 1.9. I did this a long time ago but in the meantime e changed a lot of stuff in 1.4. so that if needs to be done again. * The format of the keyrings will be switched to a newer one (KBX). This should really help with larger keyrings and provides some other goodies. * Release 2.0 Is there any sense in which opengpg is, or may be soon, a deprecated standard? NO. We all like OpenPGP far more than S/MIME. Beyond the pros and cons of centralised CAs, what are the advantages of the two? To match the structure of the organisation. OpenPGP allows for all kinds of PKIs; whereas X.509 requires a hierarchical one. Salam-Shalom, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP Card
On Tue, 06 Sep 2005 19:35:34 +0200, Zeljko Vrba said: As Alon did remark earlier, the general movement in the industry is towards multi-purpose smart-cards. OpenPGP card currently doesn't fall into this category. Not true. The OpenPGP card specification is a card application and you may put as many other applications on a card as you like and the EEPROM allows to. With 6k (and even less possible) it is actually a pretty small application. Shalom-Salam, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP Card
On Tue, 06 Sep 2005 16:04:28 +0200, Zeljko Vrba said: Anyway, the right way, as I've understood Alon, is to make gpg use gpg-agent. They communicate via a well defined _protocol_ and are not _linked_ together. Just for the record: Linking is only one indication that the whole is a derived work. There is no one to one relation ship and in particular even two separate processes might make up a derived work. Salam-Shalom, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
