Re: PGP/GnuPG unsecure, should be replaced?

[Volker Birk]

On Thu, Jul 25, 2019 at 06:31:34PM +1200, Pieter le Roux wrote:
> Good idea! Change something because it works!

Hi,

there is sqv from Sequoia PGP:

https://sequoia-pgp.org/

Yours,
VB.
-- 
Volker Birk, p≡p project
mailto:v...@pep-project.org
https://pep.software


signature.asc
Description: PGP signature

Re: PGP/GnuPG unsecure, should be replaced?

[Pieter le Roux]

Good idea! Change something because it works!
Any change we can make it part of systemd?

My emoticon for being sarcastic:
OO|OO

On 19/07/19 11:34 PM, Stephan Seitz wrote:
> Hi!
>
> I found the following article about PGP/GnuPG:
> https://latacora.singles/2019/07/16/the-pgp-problem.html
>
> In short you should drop GnuPG because it doesn’t do anything really
> the right way. It should be replaced with different tools for
> different situations.
>
> Debian is using GnuPG for signing files. From the article:
>
> Signing Packages
>
> Use Signify/Minisign. Ted Unangst will tell you all about it. It’s what
> OpenBSD uses to sign packages. It’s extremely simple and uses modern
> signing. Minisign, from Frank Denis, the libsodium guy, brings the
> same design to Windows and macOS; it has bindings for Go, Rust,
> Python, Javascript, and .NET; it’s even compatible with Signify.
>
> What do you think?
>
> Shade and sweet water!
>
> Stephan
>

Re: PGP/GnuPG unsecure, should be replaced?

[Iain Grant]

I must have picked that up somewhere I didn't check when I was younger and
just took it as fact leading to fail :(  Sorry!

I am not a cryptographic expert - IANACE??

Iain

On Sun, Jul 21, 2019 at 8:11 PM Elmar Stellnberger 
wrote:

> Why do you think that TwoFish is bad? It was invented by Bruce Schneier
> and was in the last round of the AES competition. I believe it to be the
> better choice than AES.
> Am 20.07.19 um 21:41 schrieb Iain Grant:
>
> 2 fish... that in it's self is bad.  AES, sure lets all be ok about
> that.
>
> I also read the article and I realise I still rely on gpg far too much and
> that I need to ween myself off of it!
>
>
> Iain
>
> On Sat, Jul 20, 2019 at 8:33 PM qmi (list)  wrote:
>
>> Hi,
>>
>> On 7/19/19 1:34 PM, Stephan Seitz wrote:
>> > I found the following article about PGP/GnuPG:
>> > https://latacora.singles/2019/07/16/the-pgp-problem.html
>> >
>> > In short you should drop GnuPG because it doesn’t do anything really
>> > the right way. It should be replaced with different tools for
>> > different situations.
>>
>> I checked that article. For e.g. the article says, "If you’re lucky,
>> your local GnuPG defaults to 2048-bit RSA, the 64-bit-block CAST5 cipher
>> in CFB, ..."
>>
>> Wrong. The current implementation of GnuPG shipped by Debian Buster -
>> version 2.2.12 - does support modern cryptographic standards for
>> symmetric encryption, not only CAST5. For e.g., it does support twofish
>> and aes. Both of which use 128-bit block sizes, AFAIK. See command
>> output for gpg below about supported algorithms:
>>
>> "
>>
>> qmi@qmiacer:~$ gpg --version
>>
>> gpg (GnuPG) 2.2.12
>> (...)
>> Supported algorithms:
>> Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
>> Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
>>  CAMELLIA128, CAMELLIA192, CAMELLIA256
>> (...)
>> "
>>
>> So it's good enough, apparently.
>>
>> >
>> > Debian is using GnuPG for signing files. From the article:
>> >
>> > Signing Packages
>> >
>> > Use Signify/Minisign. Ted Unangst will tell you all about it. It’s what
>>
>> You may be right, though. That tool might have better bindings for
>> modern programming languages.
>>
>> Regards,
>> --
>> qmi
>> Email: li...@miklos.info
>>
>>

Re: PGP/GnuPG unsecure, should be replaced?

[Elmar Stellnberger]

Why do you think that TwoFish is bad? It was invented by Bruce Schneier 
and was in the last round of the AES competition. I believe it to be the 
better choice than AES.


Am 20.07.19 um 21:41 schrieb Iain Grant:

2 fish... that in it's self is bad.  AES, sure lets all be ok about that.

I also read the article and I realise I still rely on gpg far too much 
and that I need to ween myself off of it!



Iain

On Sat, Jul 20, 2019 at 8:33 PM qmi (list) > wrote:


Hi,

On 7/19/19 1:34 PM, Stephan Seitz wrote:
> I found the following article about PGP/GnuPG:
> https://latacora.singles/2019/07/16/the-pgp-problem.html
>
> In short you should drop GnuPG because it doesn’t do anything
really
> the right way. It should be replaced with different tools for
> different situations.

I checked that article. For e.g. the article says, "If you’re lucky,
your local GnuPG defaults to 2048-bit RSA, the 64-bit-block CAST5
cipher
in CFB, ..."

Wrong. The current implementation of GnuPG shipped by Debian Buster -
version 2.2.12 - does support modern cryptographic standards for
symmetric encryption, not only CAST5. For e.g., it does support
twofish
and aes. Both of which use 128-bit block sizes, AFAIK. See command
output for gpg below about supported algorithms:

"

qmi@qmiacer:~$ gpg --version

gpg (GnuPG) 2.2.12
(...)
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
 CAMELLIA128, CAMELLIA192, CAMELLIA256
(...)
"

So it's good enough, apparently.

>
> Debian is using GnuPG for signing files. From the article:
>
> Signing Packages
>
> Use Signify/Minisign. Ted Unangst will tell you all about it.
It’s what

You may be right, though. That tool might have better bindings for
modern programming languages.

Regards,
--
qmi
Email: li...@miklos.info 

Re: PGP/GnuPG unsecure, should be replaced?

[qmi]

Hi

On 7/21/19 4:34 PM, Malte wrote:

li...@miklos.info transcribed 1.4K bytes on 20-Jul-2019 21:25:

I checked that article. For e.g. the article says, "If you’re lucky, your
local GnuPG defaults to 2048-bit RSA, the 64-bit-block CAST5 cipher in CFB,
..."


"defaults to" and "supports" are two different words with two different
meanings. GnuPG's history is full of new features getting developed
while insecure defaults being kept.


Thanks for pointing out. Correct, I was not specific enough. GnuPG 
*defaults* to AES-128 when using symmetric encryption according to its 
manual page. In practice, it appears to be using AES-256. I would be 
surprised if the GnuPG version shipped by the most developer-friendly 
Linux OS on the planet defaulted to a 64-bit block cipher. Perhaps an 
earlier version of GnuPG did default to CAST5 block cipher, as Wikipedia 
article states.


qmi

Re: PGP/GnuPG unsecure, should be replaced?

[Malte]

li...@miklos.info transcribed 1.4K bytes on 20-Jul-2019 21:25:
> 
> I checked that article. For e.g. the article says, "If you’re lucky, your
> local GnuPG defaults to 2048-bit RSA, the 64-bit-block CAST5 cipher in CFB,
> ..."
> 
> Wrong. The current implementation of GnuPG shipped by Debian Buster -
> version 2.2.12 - does support modern cryptographic standards for symmetric
> encryption, not only CAST5. For e.g., it does support twofish and aes. Both
> of which use 128-bit block sizes, AFAIK. See command output for gpg below
> about supported algorithms:

"defaults to" and "supports" are two different words with two different
meanings. GnuPG's history is full of new features getting developed
while insecure defaults being kept.

I think, before moving to something completely new, like signify,
moving to something like Sequoia PGP (https://sequoia-pgp.org),
might be a good first step, as it fits better with the already
existing infrastructure 🤷


Sincerely,

Malte

Re: PGP/GnuPG unsecure, should be replaced?

[Iain Grant]

2 fish... that in it's self is bad.  AES, sure lets all be ok about that.

I also read the article and I realise I still rely on gpg far too much and
that I need to ween myself off of it!


Iain

On Sat, Jul 20, 2019 at 8:33 PM qmi (list)  wrote:

> Hi,
>
> On 7/19/19 1:34 PM, Stephan Seitz wrote:
> > I found the following article about PGP/GnuPG:
> > https://latacora.singles/2019/07/16/the-pgp-problem.html
> >
> > In short you should drop GnuPG because it doesn’t do anything really
> > the right way. It should be replaced with different tools for
> > different situations.
>
> I checked that article. For e.g. the article says, "If you’re lucky,
> your local GnuPG defaults to 2048-bit RSA, the 64-bit-block CAST5 cipher
> in CFB, ..."
>
> Wrong. The current implementation of GnuPG shipped by Debian Buster -
> version 2.2.12 - does support modern cryptographic standards for
> symmetric encryption, not only CAST5. For e.g., it does support twofish
> and aes. Both of which use 128-bit block sizes, AFAIK. See command
> output for gpg below about supported algorithms:
>
> "
>
> qmi@qmiacer:~$ gpg --version
>
> gpg (GnuPG) 2.2.12
> (...)
> Supported algorithms:
> Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
> Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
>  CAMELLIA128, CAMELLIA192, CAMELLIA256
> (...)
> "
>
> So it's good enough, apparently.
>
> >
> > Debian is using GnuPG for signing files. From the article:
> >
> > Signing Packages
> >
> > Use Signify/Minisign. Ted Unangst will tell you all about it. It’s what
>
> You may be right, though. That tool might have better bindings for
> modern programming languages.
>
> Regards,
> --
> qmi
> Email: li...@miklos.info
>
>

Re: PGP/GnuPG unsecure, should be replaced?

[qmi (list)]

Hi,

On 7/19/19 1:34 PM, Stephan Seitz wrote:

I found the following article about PGP/GnuPG:
https://latacora.singles/2019/07/16/the-pgp-problem.html

In short you should drop GnuPG because it doesn’t do anything really 
the right way. It should be replaced with different tools for 
different situations.


I checked that article. For e.g. the article says, "If you’re lucky, 
your local GnuPG defaults to 2048-bit RSA, the 64-bit-block CAST5 cipher 
in CFB, ..."


Wrong. The current implementation of GnuPG shipped by Debian Buster - 
version 2.2.12 - does support modern cryptographic standards for 
symmetric encryption, not only CAST5. For e.g., it does support twofish 
and aes. Both of which use 128-bit block sizes, AFAIK. See command 
output for gpg below about supported algorithms:


"

qmi@qmiacer:~$ gpg --version

gpg (GnuPG) 2.2.12
(...)
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
    CAMELLIA128, CAMELLIA192, CAMELLIA256
(...)
"

So it's good enough, apparently.



Debian is using GnuPG for signing files. From the article:

Signing Packages

Use Signify/Minisign. Ted Unangst will tell you all about it. It’s what


You may be right, though. That tool might have better bindings for 
modern programming languages.


Regards,
--
qmi
Email: li...@miklos.info

Re: PGP key to use to contact the Security Team

[Simon Valiquette]

Joey Schulze un jour écrivit:

Simon Valiquette wrote:


  In the Securing Debian Manual, the key id to use to send an encrypted
email to the security team is 363CCD95, but on the following link,
it is F2E861A3 that is listed instead.

http://www.debian.org/security/faq.en.html#contact


Maybe the Securing Debian Manual is not up-to-date with regards to the
security contact key?



  I know, but since both keys were still valids, there was nothing either 
to indicate that it was the FAQ page which was wrong.



1. Do both keys are still valid?


You should use 0x/F2E861A3.



  Thank you, I will fix the Securing Debian Manual about it.


2. If the key F2E861A3 is legitimate (which I think it is because
I have a trust path to it), wouldn't it makes sense to sign it with
the old key as well? Or alternatively by 3 members of the security
team instead of just one?


"old key" would refer to 0x3682B5DF which expired on February 1st 2007
and is the predecessor to the current key.


 It would be kind of late to sign the current key with it only now, but 
it can make sense to sign the next key with F2E861A3 before it expire. 
Unless it is revoked, it would show quite clearly the intent and makes 
faking a new key much more difficult.


 Alternatively, announcing the new key once a year on debian-security in 
a signed email would do it, as we would be able to easily google for the 
key and check if it is legitimate.  People writing documentation would 
also notice the change a lot more quickly.


 The idea is that it is actually too easy for a single person to fake a 
new key ID, and too difficult to checks its legitimacy as the only public 
reference to it was the security FAQ page.


 Another solution is to have 3 people from the security team signing the 
key, as that would increase enough the trustfulness of the key.



Simon Valiquette


--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: PGP key to use to contact the Security Team

[Joey Schulze]

Simon Valiquette wrote:
> 
>   Hello, I am finishing the French translation of the Securing Debian
> Manual, and I noticed something about the key to use to contact the
> Debian Security Team.
> 
>   In the Securing Debian Manual, the key id to use to send an encrypted
> email to the security team is 363CCD95, but on the following link,
> it is F2E861A3 that is listed instead.
> 
> http://www.debian.org/security/faq.en.html#contact

Maybe the Securing Debian Manual is not up-to-date with regards to the
security contact key?

> 1. Do both keys are still valid?

You should use 0x/F2E861A3.

> 2. If the key F2E861A3 is legitimate (which I think it is because
> I have a trust path to it), wouldn't it makes sense to sign it with
> the old key as well? Or alternatively by 3 members of the security
> team instead of just one?

"old key" would refer to 0x3682B5DF which expired on February 1st 2007
and is the predecessor to the current key.

> 3. The key F2E861A3 claims to have been created on 2007-07-29 and is
> set to expire on 2009-02-18.  So could someone clarify what will
> happens after it expire in six weeks?  Will it be replaced by a new
> key, or will the expiration date simply be changed?

It will be replaced by a newer key, as has happened with the security
key before.

Regards,

Joey

-- 
WARNING: Do not execute!  This call violates patent DE10108564.
http://www.elug.de/projekte/patent-party/patente/DE10108564

wget -O patinfo-`date +"%Y%m%d"`.html http://patinfo.ffii.org/


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: PGP key to use to contact the Security Team

[Jonathan McDowell]

On Mon, Dec 29, 2008 at 03:50:48PM +0100, Kurt Roeckx wrote:
> On Mon, Dec 29, 2008 at 07:32:47AM -0500, Simon Valiquette wrote:
> >   So here are my questions:
> > 
> > 1. Do both keys are still valid?
> > 
> > 2. If the key F2E861A3 is legitimate (which I think it is because
> > I have a trust path to it), wouldn't it makes sense to sign it with
> > the old key as well? Or alternatively by 3 members of the security
> > team instead of just one?
> > 
> > 3. The key F2E861A3 claims to have been created on 2007-07-29 and is
> > set to expire on 2009-02-18.  So could someone clarify what will
> > happens after it expire in six weeks?  Will it be replaced by a new
> > key, or will the expiration date simply be changed?
> > 
> > 3. If the old key 363CCD95 is not used anymore, is there any reasons
> > for not revoking it?
> 
> 4. Why is 363CCD95 on keyring.debian.org but F2E861A3 isn't?

There is an outstanding RT ticket (#353) open for removing 363CCD95 from
keyring.debian.org. I have asked for a revocation certificate for it if
it's no longer in use and if a newer key should be included, but
received no reply so have made no changes.

J.

-- 
Web [   Reality is for people with no grasp of fantasy.]
site: http:// [  ]   Made by
www.earth.li/~noodles/  [  ] HuggieTag 0.0.23


signature.asc
Description: Digital signature

Re: PGP key to use to contact the Security Team

[Kurt Roeckx]

On Mon, Dec 29, 2008 at 07:32:47AM -0500, Simon Valiquette wrote:
> 
>   So here are my questions:
> 
> 1. Do both keys are still valid?
> 
> 2. If the key F2E861A3 is legitimate (which I think it is because
> I have a trust path to it), wouldn't it makes sense to sign it with
> the old key as well? Or alternatively by 3 members of the security
> team instead of just one?
> 
> 3. The key F2E861A3 claims to have been created on 2007-07-29 and is
> set to expire on 2009-02-18.  So could someone clarify what will
> happens after it expire in six weeks?  Will it be replaced by a new
> key, or will the expiration date simply be changed?
> 
> 3. If the old key 363CCD95 is not used anymore, is there any reasons
> for not revoking it?

4. Why is 363CCD95 on keyring.debian.org but F2E861A3 isn't?

5. Why is neither key documented in the developers reference?  Or
   atleast a refence to that such a key exists.


Kurt


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: pgp in Debian: obsolete?

[Lionel Elie Mamane]

On Thu, Aug 12, 2004 at 11:20:28PM +0200, Florian Weimer wrote:
>> Quoting Florian Weimer ([EMAIL PROTECTED]):

>> Just out of curiosity, are there now, or have there been in the
>> past, any _other_ implementations of the OpenPGP spec, besides
>> GnuPG?

> GnuPG is not a complete implementation of OpenPGP, either.

> Other partial implementations are contained in some PGP products,
> some NAI products, CryptoEx by Glück & Kanja, and so on.

There is HushMail, too.

-- 
Lionel


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: PGP vs GPG

[Tycho Fruru]

On Fri, 2004-08-27 at 14:48, Dale Amon wrote:
> gpg --import < gary.pub 
> gpg: no valid OpenPGP data found.
> gpg: Total number processed: 0

> cat gary.pub 

> -BEGIN PGP SIGNATURE-
[snip]

Are you sure you're really importing a public key here ?

Cheers
Tycho



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: pgp in Debian: obsolete?

[Ian Beckwith]

On Tue, Aug 10, 2004 at 02:51:19PM -0700, Rick Moen wrote:
> Quoting Ian Beckwith ([EMAIL PROTECTED]):
> 
> > Do you have links to documentation of these issues or where to get the
> > pirated versions? How pirated/illegal are they?
> > 
> > License permitting, I could maybe take patches from them.
> 
> Quoting the licence for pgpi 6.5.8:
> 
>   The source code contained herein is not intended to allow the
>   development of source code or software for commercial distribution. No
>   modifications to the source code contained in this book are allowed and
>   any further redistribution of the source code in any modified form is
>   expressly prohibited.

I assumed this would be taken care of by the fact we distribute the
.orig.tar.gz.

If that's not enough, then I assume we can't distribute it at all,
not even in non-free.

Ian.

-- 
Ian Beckwith - [EMAIL PROTECTED] - http://nessie.mcc.ac.uk/~ianb/
GPG fingerprint: AF6C C0F1 1E74 424B BCD5  4814 40EC C154 A8BA C1EA


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: pgp in Debian: obsolete?

[Florian Weimer]

* Rick Moen:

> Quoting Florian Weimer ([EMAIL PROTECTED]):
>
>> I once worked on an OpenPGP implementation vulnerability matrix, but
>> this topic isn't very interesting anymore.  For me at least, there's
>> just GnuPG.
>
> Just out of curiosity, are there now, or have there been in the past,
> any _other_ implementations of the OpenPGP spec, besides GnuPG?

GnuPG is not a complete implementation of OpenPGP, either.

Other partial implementations are contained in some PGP products, some
NAI products, CryptoEx by Glück & Kanja, and so on.

Re: pgp in Debian: obsolete?

[Rick Moen]

Quoting Florian Weimer ([EMAIL PROTECTED]):

> I once worked on an OpenPGP implementation vulnerability matrix, but
> this topic isn't very interesting anymore.  For me at least, there's
> just GnuPG.

Just out of curiosity, are there now, or have there been in the past,
any _other_ implementations of the OpenPGP spec, besides GnuPG?  I tried
to find some, when I was preparing my lecture on GnuPG[1], and couldn't
find any.

[1] "GnuPG Lecture" on http://linuxmafia.com/kb/Security/


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: pgp in Debian: obsolete?

[Rick Moen]

Quoting Florian Weimer ([EMAIL PROTECTED]):
> * Henrique de Moraes Holschuh:
> 
> >> Why non-free?  The code is available under a DFSG-free copyright
> >> license.
> >
> > The one I have here isn't, but if you have one that is entirely DFSG-free,
> > that's much better.
> 
> An older version is available from:
> 
>   

(Hey, that's my living room.  ;->  )

Although idea.c copyright holder Werner Koch licenses his copyright
under BSD terms, the header details Ascom AG's patent licence terms
(free of charge for non-commercial use).  As others have said, it's
solely the patent that's the problem -- but that patent makes the 
code non-free in all countries where the patent still has force:
I'm pretty sure that's just about everywhere.

Patent expires in 2011, by the way.  (Possibly a bit later in some
places.  There were filings in at least the USA, European Patent Office,
and Japan, to my knowledge.)



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: pgp in Debian: obsolete?

[Florian Weimer]

* Henrique de Moraes Holschuh:

>> Why non-free?  The code is available under a DFSG-free copyright
>> license.
>
> The one I have here isn't, but if you have one that is entirely DFSG-free,
> that's much better.

An older version is available from:

  


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: pgp in Debian: obsolete?

[Henrique de Moraes Holschuh]

On Thu, 12 Aug 2004, Florian Weimer wrote:
> * Henrique de Moraes Holschuh:
> > On Thu, 12 Aug 2004, Florian Weimer wrote:
> >> >> You don't need to make a second version of GPG; the IDEA module can be
> >> >> loaded dynamically.
> >> > Then the module would need to be in non-free.
> >> non-us, I think.
> >
> > non-free in non-us, actually.
> 
> Why non-free?  The code is available under a DFSG-free copyright
> license.

The one I have here isn't, but if you have one that is entirely DFSG-free,
that's much better.

The whole issue with IDEA has always been the patents, anyway.  The
non-DFSG-freeness of the IDEA module (or of certain versions of it, anyway)
look a lot like an attempt of the author to protect himself from patent
problems.

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: pgp in Debian: obsolete?

[Florian Weimer]

* Henrique de Moraes Holschuh:

> On Thu, 12 Aug 2004, Florian Weimer wrote:
>> >> You don't need to make a second version of GPG; the IDEA module can be
>> >> loaded dynamically.
>> 
>> > Then the module would need to be in non-free.
>> non-us, I think.
>
> non-free in non-us, actually.

Why non-free?  The code is available under a DFSG-free copyright
license.

> And maybe not even there, since the IDEA patent is a problem in
> europe.

non-US is just a misnomer.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: pgp in Debian: obsolete?

[Florian Weimer]

* Ian Beckwith:

> On Sat, Aug 07, 2004 at 09:17:38PM +0200, Florian Weimer wrote:
>> Both PGP 5 and 6.5 have security issues which haven't been fixed
>> upstream (because there isn't any upstream anymore).  There are some
>> pirated versions of 6.5.8 that incorporate fixes, but Debian certainly
>> shouldn't encourage distribution of them.
>
> Hmm.
>
> Do you have links to documentation of these issues

IIRC, there's a buffer overflow in the UID handling that has never
been published.  Then there's the Klima-Rosa attack, the lack of an
MDC (Modification Detection Code), and one or more user ID handling
bugs (see ).

I once worked on an OpenPGP implementation vulnerability matrix, but
this topic isn't very interesting anymore.  For me at least, there's
just GnuPG.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: pgp in Debian: obsolete?

[Henrique de Moraes Holschuh]

On Thu, 12 Aug 2004, Florian Weimer wrote:
> >> You don't need to make a second version of GPG; the IDEA module can be
> >> loaded dynamically.
> 
> > Then the module would need to be in non-free.
> non-us, I think.

non-free in non-us, actually. And maybe not even there, since the IDEA
patent is a problem in europe.

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: pgp in Debian: obsolete?

[Florian Weimer]

* Phillip Hofmeister:

>> You don't need to make a second version of GPG; the IDEA module can be
>> loaded dynamically.

> Then the module would need to be in non-free.

non-us, I think.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: pgp in Debian: obsolete?

[Phillip Hofmeister]

On Thu, 12 Aug 2004 at 03:35:29AM -0400, Matthias Urlichs wrote:
> Hi, Phillip Hofmeister wrote:
> 
> > If you wanted to
> > make a second version of GPG and place it in non-free, that would likely
> > be an acceptable option.
> >
> You don't need to make a second version of GPG; the IDEA module can be
> loaded dynamically.
Then the module would need to be in non-free.

-- 
Phillip Hofmeister


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: pgp in Debian: obsolete?

[Matthias Urlichs]

Hi, Phillip Hofmeister wrote:

> If you wanted to
> make a second version of GPG and place it in non-free, that would likely
> be an acceptable option.
>
You don't need to make a second version of GPG; the IDEA module can be
loaded dynamically.

-- 
Matthias Urlichs


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: pgp in Debian: obsolete?

[Phillip Hofmeister]

On Tue, 10 Aug 2004 at 05:51:19PM -0400, Rick Moen wrote:
> Quoting Ian Beckwith ([EMAIL PROTECTED]):
> 
> > Do you have links to documentation of these issues or where to get the
> > pirated versions? How pirated/illegal are they?
> > 
> > License permitting, I could maybe take patches from them.
> 
> Quoting the licence for pgpi 6.5.8:
> 
>   The source code contained herein is not intended to allow the
>   development of source code or software for commercial distribution. No
>   modifications to the source code contained in this book are allowed and
>   any further redistribution of the source code in any modified form is
>   expressly prohibited.

Which is a clear violation of the social contract.  If you wanted to
make a second version of GPG and place it in non-free, that would likely
be an acceptable option.

-- 
Phillip Hofmeister


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: pgp in Debian: obsolete?

[Rick Moen]

Quoting Ian Beckwith ([EMAIL PROTECTED]):

> Do you have links to documentation of these issues or where to get the
> pirated versions? How pirated/illegal are they?
> 
> License permitting, I could maybe take patches from them.

Quoting the licence for pgpi 6.5.8:

  The source code contained herein is not intended to allow the
  development of source code or software for commercial distribution. No
  modifications to the source code contained in this book are allowed and
  any further redistribution of the source code in any modified form is
  expressly prohibited.

-- 
Cheers, Founding member of the Hyphenation Society, a grassroots-based, 
Rick Moen   not-for-profit, locally-owned-and-operated, cooperatively-managed,
[EMAIL PROTECTED] modern-American-English-usage-improvement association.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: pgp in Debian: obsolete?

[Ian Beckwith]

On Sat, Aug 07, 2004 at 09:17:38PM +0200, Florian Weimer wrote:
> Both PGP 5 and 6.5 have security issues which haven't been fixed
> upstream (because there isn't any upstream anymore).  There are some
> pirated versions of 6.5.8 that incorporate fixes, but Debian certainly
> shouldn't encourage distribution of them.

Hmm.

Do you have links to documentation of these issues or where to get the
pirated versions? How pirated/illegal are they?

License permitting, I could maybe take patches from them.

Ian.

-- 
Ian Beckwith - [EMAIL PROTECTED] - http://nessie.mcc.ac.uk/~ianb/
GPG fingerprint: AF6C C0F1 1E74 424B BCD5  4814 40EC C154 A8BA C1EA
Listening to: Nusrat Fateh Ali Khan & Michael Brook - Asian Travels - Sweet Pain


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: pgp in Debian: obsolete?

[Florian Weimer]

* Arthur de Jong:

>> In short, better package the IDEA module for GnuPG...
>
> I did some work on this sometime ago, based on a previous package. The
> work is here:
>
> http://tiefighter.et.tudelft.nl/~arthur/gnupg-idea/
>
> It is sort of an source-based installer. You get the source, when building
> the package it downloads the source and creates a binary package. The
> source file idea.c is however not DFSG free because the copyrights notice
> forbids distribution in ceirtain coutries (and that is apart from the
> patent issue).

There are versions of idea.c for GnuPG which haven't got such
restrictions.  (The patent problem is unrelated and still applies, of
course.)


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: pgp in Debian: obsolete?

[elijah wright]

> http://tiefighter.et.tudelft.nl/~arthur/gnupg-idea/
>
> It is sort of an source-based installer. You get the source, when
> building the package it downloads the source and creates a binary
> package. The source file idea.c is however not DFSG free because the
> copyrights notice forbids distribution in ceirtain coutries (and that is
> apart from the patent issue).

do we know who the original author of that file was?  and what country
they wrote the code in?

a lot of times, those copyright notices are applied in order to protect
the author from possible violations of US export controls.  the original
author may now be able to relicense the code with a more compatible set of
restrictions...



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: pgp in Debian: obsolete?

[Arthur de Jong]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


> In short, better package the IDEA module for GnuPG...

I did some work on this sometime ago, based on a previous package. The
work is here:

http://tiefighter.et.tudelft.nl/~arthur/gnupg-idea/

It is sort of an source-based installer. You get the source, when building
the package it downloads the source and creates a binary package. The
source file idea.c is however not DFSG free because the copyrights notice
forbids distribution in ceirtain coutries (and that is apart from the
patent issue).

- -- arthur - [EMAIL PROTECTED] - http://people.debian.org/~adejong --

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBFgCcVYan35+NCKcRApPzAJwPLdZp3KY7xHxOI0HkwawSj+rhSQCg2rSl
+AZ8E4yeCiJFEwHGzf/Ephw=
=9S/q
-END PGP SIGNATURE-


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: pgp in Debian: obsolete? [gpg idea support]

[Jake Appelbaum]

On Thu, 2004-08-05 at 14:13, Rick Moen wrote:
> Just attempting to fill in missing detail:  PGP first used for its
> symmetric cipher Zimmerman's own amateur effort "Bass-o-Matic", which
> was quickly dropped and replaced with the IDEA algorithm.  IDEA is
> patent encumbered (and will remain that way for some years, yet).
> 
> GnuPG lacks IDEA support.  It was included for a while as an optional
> module, but has bene removed from the tarball.  (You can find it and
> retrofit it, if you search a bit.)


> That and the lingering IDEA problem (limiting only compatiblity with
> some PGP 2.x users) are all I'm aware of.  PGPi, unlike GnuPG, _does_
> include IDEA code by default.
> 

I wrote something about IDEA and gnupg a while ago. It's a quick blurb for people who 
wanted to use IDEA but weren't entirely sure how to do it:
http://yak.net/fqa/346.html

It's nothing special, but if you were wondering how, it's not very difficult.
Enjoy.

-- 
Jake Appelbaum <[EMAIL PROTECTED]>


signature.asc
Description: This is a digitally signed message part

Re: pgp in Debian: obsolete?

[Florian Weimer]

* Ian Beckwith:

> I shall attempt to get an updated pgp5i with FTBFS fixes into sarge,
> and post-sarge I will package 6.5.8 and get the package renamed
> from pgp5i to pgp.

Both PGP 5 and 6.5 have security issues which haven't been fixed
upstream (because there isn't any upstream anymore).  There are some
pirated versions of 6.5.8 that incorporate fixes, but Debian certainly
shouldn't encourage distribution of them.

In short, better package the IDEA module for GnuPG...


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: pgp in Debian: obsolete?

[Ian Beckwith]

Thanks to everyone for your comments.

On Thu, Aug 05, 2004 at 06:58:58PM +0100, Dale Amon wrote:
> Keep in mind people may have encrypted files and email
> archived. The means of accessing archive data should
> be considered to be at least as immortal as the data
> itself.

Given this and Rick Moen's comments about the IDEA issue,
I think it's worth keeping pgp in.

I shall attempt to get an updated pgp5i with FTBFS fixes into sarge,
and post-sarge I will package 6.5.8 and get the package renamed
from pgp5i to pgp.

Unfortunately, I'm not yet a DD, so... anyone fancy sponsoring my
uploads? Files are at:

http://nessie.mcc.ac.uk/~ianb/debian/

Ian.

-- 
Ian Beckwith - [EMAIL PROTECTED] - http://nessie.mcc.ac.uk/~ianb/
GPG fingerprint: AF6C C0F1 1E74 424B BCD5  4814 40EC C154 A8BA C1EA
Listening to: Primal Scream - Vanishing Point - Kowalski


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: pgp in Debian: obsolete?

[Rick Moen]

Quoting Dale Amon ([EMAIL PROTECTED]):

> I don't know for sure either. I do seem to remember there was a
> document explaining how to transition and that there was a new key
> generation method. I also vaguely remember having some problem with my
> own package signing keys when the switch was made from PGP to GPG, but
> that is 4-5 years ago and I cannot for the life of me remember the
> details. I just have a vague disquiet about it.

Just attempting to fill in missing detail:  PGP first used for its
symmetric cipher Zimmerman's own amateur effort "Bass-o-Matic", which
was quickly dropped and replaced with the IDEA algorithm.  IDEA is
patent encumbered (and will remain that way for some years, yet).

GnuPG lacks IDEA support.  It was included for a while as an optional
module, but has bene removed from the tarball.  (You can find it and
retrofit it, if you search a bit.)

The problems with dodgy RSA support have, as you mentioned, now gone
away:  One can achieve maximum compatibility with various PGP versions
by avoiding mixing RSA and Diffie-Hellman / DSS, as detailed here:
http://www.shub-internet.org/pgp_5_tips.html

That and the lingering IDEA problem (limiting only compatiblity with
some PGP 2.x users) are all I'm aware of.  PGPi, unlike GnuPG, _does_
include IDEA code by default.

-- 
Cheers,There are only 10 types of people in this world -- 
Rick Moen  those who understand binary arithmetic and those who don't.
[EMAIL PROTECTED]


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: pgp in Debian: obsolete?

[Dale Amon]

On Thu, Aug 05, 2004 at 11:40:09AM -0700, Rick Moen wrote:
> > Keep in mind people may have encrypted files and email
> > archived. The means of accessing archive data should
> > be considered to be at least as immortal as the data
> > itself.
> 
> Aren't GnuPG's decryption/verification features a superset of those in
> PGPi 5.0?  That's not a rhetorical question:  I've been telling people
> that for years in a good faith effort at accuracy, and so will
> appreciate any corrections.

I don't know for sure either. I do seem to remember 
there was a document explaining how to transition
and that there was a new key generation method. I also
vaguely remember having some problem with my own
package signing keys when the switch was made from
PGP to GPG, but that is 4-5 years ago and I cannot
for the life of me remember the details. I just have
a vague disquiet about it.

I'm certain that somewhere I've got files using the
old keys, and since I'm in Ireland, Murphy will
drop in for tea the day after PGP goes away...

-- 
--
   Dale Amon [EMAIL PROTECTED]+44-7802-188325
   International linux systems consultancy
 Hardware & software system design, security
and networking, systems programming and Admin
  "Have Laptop, Will Travel"
--


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: pgp in Debian: obsolete?

[Rick Moen]

Quoting Dale Amon ([EMAIL PROTECTED]):

> On Thu, Aug 05, 2004 at 06:51:22PM +0100, Ian Beckwith wrote:
> > If there is a demand for it, is there any reason I shouldn't upgrade
> > to the package to the latest pgp? (6.5.8 I believe, assuming the
> > international pgp restrictions no longer apply).
> 
> Keep in mind people may have encrypted files and email
> archived. The means of accessing archive data should
> be considered to be at least as immortal as the data
> itself.

Aren't GnuPG's decryption/verification features a superset of those in
PGPi 5.0?  That's not a rhetorical question:  I've been telling people
that for years in a good faith effort at accuracy, and so will
appreciate any corrections.

(I mean no disrespect to Ståle Schumacher Ytteborg or others who gave us
PGPi 5.0, which was extremely useful before GnuPG and the OpenPGP RFCs.)

Speaking from slightly rusty recollection of the issues on Ian's
original question, 6.5.8 is indeed the latest PGPi version for Unix, and 
I can't see any reason in the tarball why upgrading the package wouldn't
be a good thing (but it'd be nice if NAI decided they liked Changelogs).

-- 
Cheers, "That scruffy beard... those suspenders... that smug ex-
Rick Moen   pression You're one of those condescending Unix users!"
[EMAIL PROTECTED] "Here's a nickel, kid.  Get yourself a real computer."  
-- Dilbert


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: pgp in Debian: obsolete?

[Dale Amon]

On Thu, Aug 05, 2004 at 06:51:22PM +0100, Ian Beckwith wrote:
> If there is a demand for it, is there any reason I shouldn't upgrade
> to the package to the latest pgp? (6.5.8 I believe, assuming the
> international pgp restrictions no longer apply).

Keep in mind people may have encrypted files and email
archived. The means of accessing archive data should
be considered to be at least as immortal as the data
itself.

-- 
--
   Dale Amon [EMAIL PROTECTED]+44-7802-188325
   International linux systems consultancy
 Hardware & software system design, security
and networking, systems programming and Admin
  "Have Laptop, Will Travel"
--


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Pgp/GPG MiM chosen ciphertext attack

[Phillip Hofmeister]

It would appear this does not effect 1.06 (see footnote on page 5 of paper).

Good thing I didn't upgrade! :)

On Thu, 15 Aug 2002 at 10:34:28AM -0700, Anne Carasik wrote:
> You mean, the social engineering that they were so nice to
> point out? *sigh*
> 
> No cure for stupid users.
> 
> -Anne
> 
> This one time, Dale Amon wrote:
> > I presume most of you have heard about the paper
> > by Jallad, Katz and Schneier?
> > 
> > http://www.counterpane.com/pgp-attack.html
> > 
> > 
> > -- 
> > To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
> > 
> 
> -- 
>   .-"".__."``".   Anne Carasik, System Administrator
>  .-.--. _...' (/)   (/)   ``'   gator at cacr dot caltech dot edu 
> (O/ O) \-'  ` -="""=.',  Center for Advanced Computing Research
> ~`~~
> 



-- 
Phil

PGP/GPG Key:
http://www.zionlth.org/~plhofmei/
wget -O - http://www.zionlth.org/~plhofmei/ | gpg --import


pgpzhCH0kwisy.pgp
Description: PGP signature

Re: Pgp/GPG MiM chosen ciphertext attack

[Anne Carasik]

You mean, the social engineering that they were so nice to
point out? *sigh*

No cure for stupid users.

-Anne

This one time, Dale Amon wrote:
> I presume most of you have heard about the paper
> by Jallad, Katz and Schneier?
> 
> http://www.counterpane.com/pgp-attack.html
> 
> 
> -- 
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
> 

-- 
  .-"".__."``".   Anne Carasik, System Administrator
 .-.--. _...' (/)   (/)   ``'   gator at cacr dot caltech dot edu 
(O/ O) \-'  ` -="""=.',  Center for Advanced Computing Research
~`~~



pgpmj9hXGhZBQ.pgp
Description: PGP signature

Re: KeyServer was Re: PGP

[Adrian 'Dagurashibanipal' von Bidder]

On Thu, 2002-08-08 at 08:52, Uwe A. P. Wuerdinger wrote:
> [-snip-]
> 
> Speaking of KeyServers is there a .deb for one of 'em around somewere?

Well, there's pks.

BUT
 - no photoid keys (as will all current hkp servers)
 - no multiple subkeys afaik

I'm basically waiting until somebody packages cks, or until I have the
time to do so. But cks (cryptnet) will need some improvement, too - it's
just 0.1 and basically working.

cheers
-- vbi

-- 
secure email with gpg http://fortytwo.ch/gpg


signature.asc
Description: This is a digitally signed message part

KeyServer was Re: PGP

[mlist-debiansecurity]

[-snip-]

Speaking of KeyServers is there a .deb for one of 'em around somewere?


greets Uwe
--
X-Tec GmbH
Institute for Computer and Network Security
WWW : http://www.x-tec.de/

Re: PGP

[Vineet Kumar]

* Daniel Rychlik ([EMAIL PROTECTED]) [020802 13:43]:
> Hello,
> 
> I have recently setup PGP on my Debian server at home.  I have setup
> Exim for relay of 3 hosts.  I would like to be able to include pgp
> signature signing for the three hosts.  My wife uses Outlook for her
> email and I was wandering if their was a way to automatically sign her
> email messages as they leave the mailbox.  Ive read the documentation
> Phillip Zimmerman, but it doesnt really have any info on setting up
> pgp keys for mail clients.  Any information would be great!  

I'm not sure exactly what it is you're trying to do, but I think you
should ask yourself what it is you're trying to gain.  If you have the
signatures added automatically, then I presume you also mean that you
are keeping private keys without passphrases.  The signature on those
messages doesn't really tell me that the message comes from your wife,
but rather that it passed through your mail server (if even that).  IMO,
GPG is something that should be implemented just at the ends of an
end-to-end communication path.  That is to say that I sign a message
when I compose it, before I send it.  It doesn't get signed somewhere in
the middle.  Similarly, I don't ask my tools to automatically decrypt
messages I receive; I do that only when I view them.

I'm not sure if there are any add-on packages for outlook (there were
last time I checked, but they may have since been orphaned), but it
sounds to me like your idea of adding it on at the server adds little
real security.

good times,
Vineet
-- 
http://www.doorstop.net/
-- 
http://www.anti-dmca.org/   


pgpSaw48v14im.pgp
Description: PGP signature

Re: PGP

[Mathias Palm]

On Fri, Aug 02, 2002 at 03:52:34PM -0500, Daniel Rychlik wrote:
> -BEGIN PGP SIGNED MESSAGE-
> 
> Hello,
> 
> I have recently setup PGP on my Debian server at home.  I have setup Exim for 
> relay of 3 hosts.  I would like to be able to include pgp signature signing 
> for the three hosts.  My wife uses Outlook for her email and I was wandering 
> if their was a way to automatically sign her email messages as they leave the 
> mailbox.  Ive read the documentation Phillip Zimmerman, but it doesnt really 
> have any info on setting up pgp keys for mail clients.  Any information would 
> be great!  

Sorry when telling you something you already know. There is a tool called kuvert
which seems to offer just what you want. 

Mathias

> 
> Daniel J. Rychlik
> http://daniel.rychlik.ws
> -BEGIN PGP SIGNATURE-
> Version: 2.6.3ia
> Charset: noconv
> 
> iQCVAwUBPUrwdQ8VKKJfCDjBAQH2tAP9HpxPoEtitgy/Sz7BtBbDnj4244CAVWhE
> DxXa0jlTJHDC5WnMmJ1da0OANHxTHA0XQeXFOB3S/5tmvvOJr56/An+/gN2lReZS
> MbkMhgHhTjEP+pbRNLQZN6MQ13H7SaSuEWhww8TaPwuhzdXqZmzKsc4kpjoh5ybM
> Au9Xidoems4=
> =DFXM
> -END PGP SIGNATURE-
> 
> 
> -- 
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
> 

Re: PGP

[Noah L. Meyerhans]

On Mon, Aug 05, 2002 at 01:19:45PM -0500, Daniel Rychlik wrote:
> must have missed that one.

I am sorry for giving an RTFM-style answer.  I didn't think anybody was
still using PGP.  Is there a specific reason you need it instead of gpg?

pgp can't upload to keyservers on its own.  Take a look at
http://www.keyserver.net/en/ for a web interface to adding keys to the
keyserver network.

noah

-- 
 ___
| Web: http://web.morgul.net/~frodo/
| PGP Public Key: http://web.morgul.net/~frodo/mail.html 


pgplxg4UAGdye.pgp
Description: PGP signature

Re: PGP

[Daniel Rychlik]

must have missed that one.

Re: PGP

[Florian Weimer]

"Noah L. Meyerhans" <[EMAIL PROTECTED]> writes:

> On Mon, Aug 05, 2002 at 01:06:03PM -0500, Daniel Rychlik wrote:
>> In pgp, how do I upload my public key to a key server?  Ive read the
>> documentation on it and I cannot seem to find a way to do it.  
>
>--send-keys [names]
>  Same as --export but sends the keys  to  a  key­
>  server.  Option --keyserver must be used to give
>  the name of this keyserver. Don't send your com­
>  plete keyring to a keyserver - select only those
>  keys which are new or changed by you.
>
> ...wasn't clear enough for you?

He's using PGP, look at his signature.

-- 
Florian Weimer[EMAIL PROTECTED]
University of Stuttgart   http://CERT.Uni-Stuttgart.DE/people/fw/
RUS-CERT  fax +49-711-685-5898

Re: PGP

[Noah L. Meyerhans]

On Mon, Aug 05, 2002 at 01:06:03PM -0500, Daniel Rychlik wrote:
> In pgp, how do I upload my public key to a key server?  Ive read the
> documentation on it and I cannot seem to find a way to do it.  

   --send-keys [names]
 Same as --export but sends the keys  to  a  key?
 server.  Option --keyserver must be used to give
 the name of this keyserver. Don't send your com?
 plete keyring to a keyserver - select only those
 keys which are new or changed by you.

...wasn't clear enough for you?

noah

-- 
 ___
| Web: http://web.morgul.net/~frodo/
| PGP Public Key: http://web.morgul.net/~frodo/mail.html 


pgpY154YP85xy.pgp
Description: PGP signature

Re: PGP

[Mathias Palm]

On Fri, Aug 02, 2002 at 03:52:34PM -0500, Daniel Rychlik wrote:
> -BEGIN PGP SIGNED MESSAGE-
> 
> Hello,
> 
> I have recently setup PGP on my Debian server at home.  
> I have setup Exim for relay of 3 hosts.  I would like to be able to
> include pgp signature signing for the three hosts.  My wife uses
> Outlook for her email and I was wandering if their was a way to
> automatically sign her email messages as they leave the mailbox.  
> Ive read the documentation Phillip Zimmerman, but it doesnt really
> have any info on setting up pgp keys for mail clients.  Any
> information would be great!  

The place to look is the exim manual. I guess the "system-wide message
filtering" would make something like this possible. 

You should also contact the debian-user mailing list or even find an
exim related mailing list.

Mathias 


> 
> Daniel J. Rychlik
> http://daniel.rychlik.ws
> -BEGIN PGP SIGNATURE-
> Version: 2.6.3ia
> Charset: noconv
> 
> iQCVAwUBPUrwdQ8VKKJfCDjBAQH2tAP9HpxPoEtitgy/Sz7BtBbDnj4244CAVWhE
> DxXa0jlTJHDC5WnMmJ1da0OANHxTHA0XQeXFOB3S/5tmvvOJr56/An+/gN2lReZS
> MbkMhgHhTjEP+pbRNLQZN6MQ13H7SaSuEWhww8TaPwuhzdXqZmzKsc4kpjoh5ybM
> Au9Xidoems4=
> =DFXM
> -END PGP SIGNATURE-
> 
> 
> -- 
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
> 

Re: PGP Keyserver

[Willi Dyck]

On Thu, Jun 06, 2002 at 01:44:20PM -0400, Phillip Hofmeister did this all over 
the keyboard:
> All,
> 
> There may be a thread on this topic...somwhere...
> 
> But, is there a fairly populated pgp keyserver besides
> wwwkeys.pgp.net?

Hi Phillip,

you could try 'host -l pgp.net | grep wwwkeys'.
Or wasn't it what you mean?

Dont' the all keep in sync with each other?

HTH

W.Dyck

-- 
never offend people with style when you can
offend them with substance.
--Sam Brown


pgpJyuSa1Rdt3.pgp
Description: PGP signature

Re: PGP Keyserver

[Jonathan McDowell]

On Thu, Jun 06, 2002 at 10:49:37AM -0700, Anne Carasik wrote:
> This one time, Phillip Hofmeister wrote:
> > But, is there a fairly populated pgp keyserver besides
> > wwwkeys.pgp.net?

> Here's a whole slew listed at:
> 
> http://www.openpgp.net/pgpsrv.html

Or:

http://keyserver.kjsl.com/~jharris/keyserver.html

J.

-- 
jid: [EMAIL PROTECTED]
Design a system any fool can use, and only
a fool will want to use it.


pgpSqaT9RENOV.pgp
Description: PGP signature

Re: PGP Keyserver

[Anne Carasik]

Here's a whole slew listed at:

http://www.openpgp.net/pgpsrv.html

-Anne

This one time, Phillip Hofmeister wrote:
> All,
> 
> There may be a thread on this topic...somwhere...
> 
> But, is there a fairly populated pgp keyserver besides
> wwwkeys.pgp.net?
> 
> Thanks,
> 
> Phil
> 
> 
> -- 
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
> 

-- 

  .-"".__."``".   Anne Carasik, System Administrator
 .-.--. _...' (/)   (/)   ``'   [EMAIL PROTECTED] 
(O/ O) \-'  ` -="""=.',  Center for Advanced Computing Research
~`~~


pgpJLOLTZmRv5.pgp
Description: PGP signature

Re: pgp and elm

[Steve Greenland]

On 13-Jul-01, 02:38 (CDT), Curt Howland <[EMAIL PROTECTED]> wrote: 
> 
> finally pulled down pgp50i, and elm can now encrypt/decrypt successfully,
> but signing fails. "pgp returned error code 7" or something close to that.
> 
> anyone have a hint on making these co=operate? both are present stable
> distro's.

Not a direct answer, but have you considered switching to mutt? It's
very like elm in basic interface, much more configurable, very good
support for pgp and gnupg, is actively maintained upstream. If you
haven't tried it, I suggest you do -- I was happy elm user, but switched
to mutt years ago. (The mutt project was started by Michael Elkins, who
is the "me" in elm-me+, for whatever that may be worth.)


Steve
-- 
Steve Greenland <[EMAIL PROTECTED]>
(Please do not CC me on mail sent to this list; I subscribe to and read
every list I post to.)

Re: pgp and elm

[Steve Greenland]

On 13-Jul-01, 02:38 (CDT), Curt Howland <[EMAIL PROTECTED]> wrote: 
> 
> finally pulled down pgp50i, and elm can now encrypt/decrypt successfully,
> but signing fails. "pgp returned error code 7" or something close to that.
> 
> anyone have a hint on making these co=operate? both are present stable
> distro's.

Not a direct answer, but have you considered switching to mutt? It's
very like elm in basic interface, much more configurable, very good
support for pgp and gnupg, is actively maintained upstream. If you
haven't tried it, I suggest you do -- I was happy elm user, but switched
to mutt years ago. (The mutt project was started by Michael Elkins, who
is the "me" in elm-me+, for whatever that may be worth.)


Steve
-- 
Steve Greenland <[EMAIL PROTECTED]>
(Please do not CC me on mail sent to this list; I subscribe to and read
every list I post to.)


--  
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: PGP and GnuPG

[Hanno Böttcher]

I got another problem, at work I use Winnt (have to) and PGP Freeware, but
when I write an encrypted mail to a friend of mine using GNU PGP he can read
my mails, but I can't read his? I think it's a problem of the MIME Body?


Thx for help Hanno

Re: PGP and GnuPG

[Hanno Böttcher]

I got another problem, at work I use Winnt (have to) and PGP Freeware, but
when I write an encrypted mail to a friend of mine using GNU PGP he can read
my mails, but I can't read his? I think it's a problem of the MIME Body?


Thx for help Hanno





--  
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: PGP vs. GPG && BAD SIGNATURE

[Peter Palfrader]

Hi Brian!

On Sun, 30 Apr 2000, Brian May wrote:

> > "Peter" == Peter Palfrader <[EMAIL PROTECTED]> writes:
> Peter> Pollywog, you really should not include signatures of other
> Peter> mails in replies :)
> 
> but that mail was PGP/MIME formatted. So I don't think it is quite as simple
> as what you are saying.
> 
> This was Ethan's signature:

> this is Pollywog's signature (the reply to that last message):
 
> oh wait, yes they are the same. Why XFMail is doing this, I don't know
> (as I don't use it myself). Perhaps this is a bug in XFMail.

Hmm Polywog did not sign his first mail so I assume he also did not
sign the second one. 

It really looks like including the sig. attachment in the reply.

(nevertheless a bug imho)
yours,
peter

-- 
PGP encrypted messages prefered.
http://www.cosy.sbg.ac.at/~ppalfrad/


pgpcGxEMGoPGi.pgp
Description: PGP signature

Re: PGP vs. GPG && BAD SIGNATURE

[Brian May]

> "Peter" == Peter Palfrader <[EMAIL PROTECTED]> writes:

Peter> Hi Pollywog!
>> mutt thinks: > [-- PGP output follows (current time: Sun Apr 30
>> 03:33:11 2000) --] > gpg: Signature made Sun Apr 30 02:17:24
>> 2000 CEST using DSA key ID 2C447AFC > gpg: BAD signature from
>> "Ethan R. Benson <[EMAIL PROTECTED]>" > [-- End of PGP output
>> --]

Peter> Argl. I really should read more than BAD sig.

Peter> Pollywog, you really should not include signatures of other
Peter> mails in replies :)

but that mail was PGP/MIME formatted. So I don't think it is quite as simple
as what you are saying.

This was Ethan's signature:



--MSd2ShuMixI0uVaZ
Content-Type: application/pgp-signature

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAjkLe5QACgkQJKx7GixEevxO0QCeOBfj3MY+n6NIO8Qt/AA8tBSu
cm4An3ggPcIQ1KXmNTxrDRlhw1ZdFXuE
=GaGX
-END PGP SIGNATURE-

--MSd2ShuMixI0uVaZ--



this is Pollywog's signature (the reply to that last message):



--_=XFMail.1.4.4.Linux:2430005809:27687=_
Content-Type: application/pgp-signature

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAjkLe5QACgkQJKx7GixEevxO0QCeOBfj3MY+n6NIO8Qt/AA8tBSu
cm4An3ggPcIQ1KXmNTxrDRlhw1ZdFXuE
=GaGX
-END PGP SIGNATURE-

--_=XFMail.1.4.4.Linux:2430005809:27687=_--



oh wait, yes they are the same. Why XFMail is doing this, I don't know
(as I don't use it myself). Perhaps this is a bug in XFMail.
-- 
Brian May <[EMAIL PROTECTED]>

Re: PGP vs. GPG && BAD SIGNATURE

[Peter Palfrader]

Hi Ethan!

On Sat, 29 Apr 2000, Ethan Benson wrote:

> > mutt thinks:
> > > [-- PGP output follows (current time: Sun Apr 30 03:33:11 2000) --]
> > > gpg: Signature made Sun Apr 30 02:17:24 2000 CEST using DSA key ID 
> > > 2C447AFC
> > > gpg: BAD signature from "Ethan R. Benson <[EMAIL PROTECTED]>"
> > > [-- End of PGP output --]
> > 
> > What might be the reason?
> 
> that is interesting, the message that came back to me verified so it
> could not be a mail system garbling...  what MUA do you use?  do you
> have any procmail recipies that might be tinkering with messages? 

Your message had a Good Sig. Unfortunatly Pollywog included your sig
attachtment when replying and it's clear that the sig to your original
message did not work with the reply :)


yours,
peter

-- 
PGP encrypted messages prefered.
http://www.cosy.sbg.ac.at/~ppalfrad/


pgplRmBLYaUlq.pgp
Description: PGP signature

Re: PGP vs. GPG && BAD SIGNATURE

[Ethan Benson]

On Sun, Apr 30, 2000 at 03:34:25AM +0200, Peter Palfrader wrote:
> Hi Pollywog!
> 
> 
> mutt thinks:
> > [-- PGP output follows (current time: Sun Apr 30 03:33:11 2000) --]
> > gpg: Signature made Sun Apr 30 02:17:24 2000 CEST using DSA key ID 2C447AFC
> > gpg: BAD signature from "Ethan R. Benson <[EMAIL PROTECTED]>"
> > [-- End of PGP output --]
> 
> What might be the reason?

that is interesting, the message that came back to me verified so it
could not be a mail system garbling...  what MUA do you use?  do you
have any procmail recipies that might be tinkering with messages? 

> On Sun, 30 Apr 2000, Pollywog wrote:
> 
> > You mean that the patent will expire in September, correct?
> 
> 20th of September yes. party!

we know were far gone when we party over tech patents expiring :P


-- 
Ethan Benson
http://www.alaska.net/~erbenson/


pgpaC7yeA1TqE.pgp
Description: PGP signature

Re: PGP vs. GPG && BAD SIGNATURE

[Peter Palfrader]

Hi Pollywog!

> mutt thinks:
> > [-- PGP output follows (current time: Sun Apr 30 03:33:11 2000) --]
> > gpg: Signature made Sun Apr 30 02:17:24 2000 CEST using DSA key ID 2C447AFC
> > gpg: BAD signature from "Ethan R. Benson <[EMAIL PROTECTED]>"
> > [-- End of PGP output --]

Argl. I really should read more than BAD sig.

Pollywog, you really should not include signatures of other mails in
replies :)

yours,
peter

-- 
PGP encrypted messages prefered.
http://www.cosy.sbg.ac.at/~ppalfrad/


pgpLM1J8yvJjG.pgp
Description: PGP signature

Re: PGP vs. GPG && BAD SIGNATURE

[Peter Palfrader]

Hi Pollywog!


mutt thinks:
> [-- PGP output follows (current time: Sun Apr 30 03:33:11 2000) --]
> gpg: Signature made Sun Apr 30 02:17:24 2000 CEST using DSA key ID 2C447AFC
> gpg: BAD signature from "Ethan R. Benson <[EMAIL PROTECTED]>"
> [-- End of PGP output --]

What might be the reason?

On Sun, 30 Apr 2000, Pollywog wrote:

> You mean that the patent will expire in September, correct?

20th of September yes. party!


yours,
peter

-- 
PGP encrypted messages prefered.
http://www.cosy.sbg.ac.at/~ppalfrad/


pgpsfthcbOwrX.pgp
Description: PGP signature

Re: PGP vs. GPG

[Ethan Benson]

On Sun, Apr 30, 2000 at 12:58:09AM -, Pollywog wrote:
> 
> On 30-Apr-2000 00:17:24 Ethan Benson wrote:
> > On Sun, Apr 30, 2000 at 12:12:19AM -, Pollywog wrote:
> >> Where does one get the extensions?
> > 
> > i don't know where the upstream sources are, but they are packaged
> > for
> > debian (potato at least) in non-US/non-free  gpg-idea and gpg-rsa. 
> > 
> > note that gpg-rsa is illegal inside the US.  there is a gpg-rsaref
> > (think thats what its called) that is legal but its total crap. 
> > this
> > september rsaref will die however. 
> 
> You mean that the patent will expire in September, correct?

yup, the long wait for RSA's patent to expire will be over!  

> --
> Andrew



-- 
Ethan Benson
http://www.alaska.net/~erbenson/


pgpYE61Xaz1jz.pgp
Description: PGP signature

Re: PGP vs. GPG

[Pollywog]

On 30-Apr-2000 00:17:24 Ethan Benson wrote:
> On Sun, Apr 30, 2000 at 12:12:19AM -, Pollywog wrote:
>> Where does one get the extensions?
> 
> i don't know where the upstream sources are, but they are packaged
> for
> debian (potato at least) in non-US/non-free  gpg-idea and gpg-rsa. 
> 
> note that gpg-rsa is illegal inside the US.  there is a gpg-rsaref
> (think thats what its called) that is legal but its total crap. 
> this
> september rsaref will die however. 

You mean that the patent will expire in September, correct?

--
Andrew


pgpTCn1nZnT8C.pgp
Description: PGP signature

Re: PGP vs. GPG

[Peter Palfrader]

Hi Pollywog!

On Sun, 30 Apr 2000, Pollywog wrote:

> Where does one get the extensions?

You'll find it at your local gpg mirror.

e.g:
http://gd.tuwien.ac.at/privacy/gnupg/contrib/

You want {idea,rsa{,ref}}.c


Don't forget to put
 load-extension idea
 load-extension rsa

into your ~/.gnupg/options 

yours,
peter

-- 
PGP encrypted messages prefered.
http://www.cosy.sbg.ac.at/~ppalfrad/


pgp5NrKEa1M1D.pgp
Description: PGP signature

Re: PGP vs. GPG

[Ethan Benson]

On Sun, Apr 30, 2000 at 12:12:19AM -, Pollywog wrote:
> Where does one get the extensions?

i don't know where the upstream sources are, but they are packaged for
debian (potato at least) in non-US/non-free  gpg-idea and gpg-rsa.  

note that gpg-rsa is illegal inside the US.  there is a gpg-rsaref
(think thats what its called) that is legal but its total crap.  this
september rsaref will die however.  

> On 29-Apr-2000 23:13:57 Ethan Benson wrote:
> > that version is anchient, and was not very compatible, even with
> > newer
> > PGP.  GPG is not really compatible with PGP2.6 (read RSA/IDEA) (not
> > without the non-free extensions)
> 

-- 
Ethan Benson
http://www.alaska.net/~erbenson/


pgpiIbYIsCjuu.pgp
Description: PGP signature

Re: PGP vs. GPG

[Pollywog]

Where does one get the extensions?

On 29-Apr-2000 23:13:57 Ethan Benson wrote:
> that version is anchient, and was not very compatible, even with
> newer
> PGP.  GPG is not really compatible with PGP2.6 (read RSA/IDEA) (not
> without the non-free extensions)

Re: PGP vs. GPG

[Ethan Benson]

On Tue, May 02, 2000 at 02:03:12AM +0200, Jure Mercun wrote:
> Hi!
> 
> I have some problems (as usually...)...
> They're probably pretty lame, but I can't
> find the answers, so here they go:
> 
> I don't have a lot of experiences with
> PGP and GPG but it seems that PGP doesn't
> recognize GPG's keys and vice versa. Is
> there some way, to make a key that would
> work on both?
> 
> I was testing with GPG(0.4.3-1) and
^

that version is anchient, and was not very compatible, even with newer
PGP.  GPG is not really compatible with PGP2.6 (read RSA/IDEA) (not
without the non-free extensions)

> PGP(2.6.3a-4 and 5.0-3). I still use slink...

try GPG 1.0.1, compile it yourself if the .debs don't work.  any
further compatiblity problems with PGP5 can be blamed on PGP, its very
buggy and not OpenPGP compliant.

> Btw, the keys seem to work even after
> the expirery (is it spelled correctly?) date.
> What are they used for(the dates)? Are they
> only information for the user?

after the expiration date has passed you should be unable to encrypt
anything with the expired public key.  you can still decrypt with the
private key.  i think the software should not allow signatures with an
expired key but im not sure if GPG enforces that or not.  expiration
is more to get others to stop using a public key then to get the owner
to stop using it.  some people say you should always have your keys
expire, and i suppose that might be useful but on the other hand if
you do that you have to start over in getting your key certified and
reintegrated into the trust circle.  (which is not very easy if you
are in isolated locations (see my email :))

> How exactly can a revocation certificate
> be used? I read that it can be used to make
> the key useless... How?

revoke the key and submit it (the revoked pub key) to a keyserver,
when others update thier keyrings the key becomes revoked and they can
no longer encrypt with it.  

-- 
Ethan Benson
http://www.alaska.net/~erbenson/


pgpolm3AEHNvQ.pgp
Description: PGP signature

Re: PGP vs. GPG

[Peter Palfrader]

Hi Jure!

On Tue, 02 May 2000, Jure Mercun wrote:

> I don't have a lot of experiences with
> PGP and GPG but it seems that PGP doesn't
> recognize GPG's keys and vice versa. Is
> there some way, to make a key that would
> work on both?

GPG cannot handle RSA keys (pgp 2.6.x) out of the box. Install
gpg-{rsa,idea} (non-US/non-free)

Even then GPG does create messages readable with pgp2.6.x. There is a
tool called gpg2-comp[0]. Didn't work for me, YMMV.

DSA keys (introduced with pgp5) are no problems for GPG.


yours,
peter

 0. http://muppet.faveve.uni-stuttgart.de/~gero/gpg-2comp/

-- 
PGP encrypted messages prefered.
http://www.cosy.sbg.ac.at/~ppalfrad/


pgpmVUioZ2I4y.pgp
Description: PGP signature