Re: PGP signatures.
On Sun, Jun 1, 2008 at 5:30 PM, Patrick O'Callaghan [EMAIL PROTECTED] wrote: On Sun, 2008-06-01 at 14:32 -0500, Mikkel L. Ellertson wrote: Even if you are using it for security purposes, you should not need to protect the public keys. Probably not what you meant, but just to be absolutely clear: you *do* need to protect public keys against modification (not against reading, after all they're public :-) poc -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Just for completeness and not meant to comment on this conversation. http://en.wikipedia.org/wiki/Kerckhoffs%27_principle -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: PGP signatures.
On Sat, 2008-05-31 at 10:59 -0700, Les wrote: Simply put, one could create a keylist, publish it someplace secure with limited access and limited time availability, communicate to the designated individual where and when, and the designated individual could use something like VPN to pick up the encrypted key list. The key to break that key list could be given over the phone. The result would certainly minimize exposure of the keys. I'm not sure that exposure of keys is a problem (so long as keys are strong). I'd be unconcerned about exposure of uncrackable keys if keys and key IDs were used, with no way to harvest email addresses from them. i.e. If keys didn't contain addresses, just unique IDs. I've seen systems which try and make this easier for users, they do all the key handling externally. Unfortunately, that means that your private key is held externally, and your passphrase to use it has to be transmitted. Some of the turn-key virtual webhosting systems work that way, e.g. CPanel. Worse still, users typically access their control panel over HTTP, not HTTPS. -- [EMAIL PROTECTED] ~]$ uname -r 2.6.25.3-18.fc9.i686 Don't send private replies to my address, the mailbox is ignored. I read messages from the public lists. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: PGP signatures.
On Sun, 2008-06-01 at 17:12 +0930, Tim wrote: Simply put, one could create a keylist, publish it someplace secure with limited access and limited time availability, communicate to the designated individual where and when, and the designated individual could use something like VPN to pick up the encrypted key list. The key to break that key list could be given over the phone. The result would certainly minimize exposure of the keys. I'm not sure that exposure of keys is a problem (so long as keys are strong). I'd be unconcerned about exposure of uncrackable keys if keys and key IDs were used, with no way to harvest email addresses from them. i.e. If keys didn't contain addresses, just unique IDs. The whole crux of the problem isn't exposing the (public) keys, it's reliably associating a public key with an identity. poc -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: PGP signatures.
On Sun, 2008-06-01 at 14:32 -0500, Mikkel L. Ellertson wrote: Even if you are using it for security purposes, you should not need to protect the public keys. Probably not what you meant, but just to be absolutely clear: you *do* need to protect public keys against modification (not against reading, after all they're public :-) poc -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: PGP signatures.
On Friday 30 May 2008 04:34:41 Tim wrote: On Thu, 2008-05-29 at 15:23 -0500, Aaron Konstam wrote: Let me share that to me the whole discussion of PGP signatures was very unenlightening. I have no idea how to sign e-mail or validate a pgp signed e-mail All the discussion seemed to me to be aimed at people who knew all about this. Before you can make use of pgp in mail, you have to get pgp working. After you've made your own keys, the next thing you'll need is the other party's keys. You've got to be able to manage getting them in some way. *Then* you can move on to actually using them. Though there's probably a understanding how the scheme works process that you need to go through, first, judging by your comments. Start with the documentation, that's where most of the rest of us started, and you're less likely to get given a bum steer by it. -- (This box runs Centos 5.0, my others still run FC 4, 5, 6, 7, in case that's important to the thread.) Don't send private replies to my address, the mailbox is ignored. I read messages from the public lists. Some time back Fajar Priyanto wrote an excellent how-to. I'd recommend it. http://wiki.mandriva.com/en/Docs/Desktop/MUA/Kmail Anne signature.asc Description: This is a digitally signed message part. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: PGP signatures.
On Fri, 2008-05-30 at 13:04 +0930, Tim wrote: On Thu, 2008-05-29 at 15:23 -0500, Aaron Konstam wrote: Let me share that to me the whole discussion of PGP signatures was very unenlightening. I have no idea how to sign e-mail or validate a pgp signed e-mail All the discussion seemed to me to be aimed at people who knew all about this. Before you can make use of pgp in mail, you have to get pgp working. After you've made your own keys, the next thing you'll need is the other party's keys. You've got to be able to manage getting them in some way. *Then* you can move on to actually using them. Though there's probably a understanding how the scheme works process that you need to go through, first, judging by your comments. Start with the documentation, that's where most of the rest of us started, and you're less likely to get given a bum steer by it. It's a basic fact of life that crypto software is complicated for users, and there appear to be fairly fundamental reasons why this is so (see Why Johnny Can't Encrypt, an interesting paper by a group of Stanford researchers from a few years ago). You have to understand what a key is, why it's not the same as a password, what it means to sign a message etc. etc. Phil Zimmerman's book on PGP is a pretty good publication :-), or just read one of the many online guides to get started. poc -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: PGP signatures.
Tim wrote: It would have helped if Evolution, for instance, allowed you to set an option in the address book to always encrypt for this person, rather than requiring the user to do an encrypt action choice for every email. I've had that option in other clients. That'd help against accidentally sending things in the clear, at the very least. I think there are numerous deficiencies in Evolution then. I believe Kmail has better gpg integration (and probably Thunderbird also). I'm not sure if the Evolution developers have strong crypto support as much of a goal. (FWIW, I don't use any of them regularly myself. I've been a happy mutt user for years now. :) One thing that struck as being particularly painful, since it was email that we were talking about, was the inability to give someone your public key in some way through your mail program. Yes, I know that's not a brilliantly safe way to set things up. But with two PCs next to each other on a LAN, that would have been safe and an easy to do it. There's actually nothing wrong with trading keys via email. And any good mail client should make it easy to import and export keys this way. I know mutt does (and has for as long as I've used it). I believe that Kmail does as well. The important thing, no matter how you receive a key, is to properly verify it. For me, this means either: Exchanging the key info (fingerprint, size, and type) via some means other than email or internet. Typically, it'd be a phone call or in person meeting. or Having the key already signed by someone I trust. But how you get the key itself isn't at all important and doing so via email is as secure as downloading the key from a keyserver. You had to use the gpg program, separately, to publish your key, or create it as a file. The mail and encryption are separate things issue is difficult for many to comprehend, and that's just another thing that will discourage many from using it. If this is made an issue, then you're using a mail client that does not care about decent gpg integration AFAIAC. As I mentioned earlier, someone's obviously monitoring some keyservers, and harvesting addresses from them. I never noticed an increase in spam when I added my keys, and they've been there for a long time. Further, some of the addresses I had on my keys never got any spam. Of course, I'm not trying to deny that your experience isn't accurate, just saying that it doesn't seem to be unilaterally true. But either way, losing the convenience of the public keyserver isn't worth stopping a little spam IMO. I do next to nothing to obscure my email address anymore. Instead, I rely on SpamAssassin to quell the flow of spam that comes to me. That's preferable to me than trying to hide my address in all the places it might be convenient to expose it. But to each his own. :) Peculiarly, removing some addresses from the key had a similar effect (no more spam being received at those addresses). I didn't expect that to happen. That is indeed quite odd. ;) The keyserver I used was: hkp://subkeys.pgp.net Though I'm inclined to suspect the harvesting is not that server, in itself. Yeah, since most of the keyservers sync with each other, it could be any of them. Hell, a spammer could even run one if they wanted to. But I suspect there are better ways to get addresses. -- ToddOpenPGP - KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp ~~ Sex is hereditary. If your parents never had it, chances are you wont either. -- Joseph Fischer pgpnlGKIBa3kO.pgp Description: PGP signature -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: PGP signatures.
On Thursday 29 May 2008 02:08, Tim wrote: On Wed, 2008-05-28 at 17:49 +0100, Anne Wilson wrote: It is important, though, to maintain the web-of-trust. It does have legal implications, and that's why local signing is an option. I use encryption for correspondence with one person, and for that I have to use ultimate trust, yet I've never met him. I don't recall being required to ultimately trust someone to send them encrypted mail. I'd call that a foolhardy thing, too. It'd be better to set your mailer to trust people on your keyring - that affects what you do with the keys, rather than inappropriately bodging the keys, themselves. Since it is a local setting it has no security implications for anyone else. Local signing is designed to cope with situations like this. Anne -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: PGP signatures.
On Wed, 2008-05-28 at 16:48 -0500, Mikkel L. Ellertson wrote: gpg --list-keys 1E1C9C17 This does not work for me. -- === genealogy, n.: An account of one's descent from an ancestor who did not particularly care to trace his own. -- Ambrose Bierce === Aaron Konstam telephone: (210) 656-0355 e-mail: [EMAIL PROTECTED] -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: PGP signatures.
Aaron Konstam wrote: On Thu, 2008-05-29 at 11:07 -0500, Mikkel L. Ellertson wrote: Aaron Konstam wrote: On Wed, 2008-05-28 at 16:48 -0500, Mikkel L. Ellertson wrote: gpg --list-keys 1E1C9C17 This does not work for me. Do you have her key in your key ring? If not, you have to run gpg --recv-keys 1E1C9C17 first. Mikkel When I run: gpg --recv-keys 1E1C9C17 I get the following message: [EMAIL PROTECTED] ~]$ gpg --recv-keys 1E1C9C17 gpg: requesting key 1E1C9C17 from http server subkeys.pgp.net gpgkeys: no key data found for http://subkeys.pgp.net/ gpg: no valid OpenPGP data found. gpg: Total number processed: 0 It looks like ~/.gnupg/gpg.conf may not have the keyservers configured correctly. I know I kept the same config file through several updates, and the keyservers were no longer valid. I am not sure if hkp://subkeys.pgp.net would work. I am using: keyserver hkp://wwwkeys.us.pgp.net Let me share that to me the whole discussion of PGP signatures was very unenlightening. I have no idea how to sign e-mail or validate a pgp signed e-mail All the discussion seemed to me to be aimed at people who knew all about this. Before anyone gets offended let me admit you might reply RTFM. Well, you could run (p)info gnupg or visit http://www.gnupg.org There are also man pages for gpg... As far as verifying e-mail, there are probably plugins for your e-mail client. I am using one for Thunderbird. Mikkel -- Do not meddle in the affairs of dragons, for thou art crunchy and taste good with Ketchup! signature.asc Description: OpenPGP digital signature -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: PGP signatures.
Mikkel L. Ellertson wrote: Aaron Konstam wrote: It looks like ~/.gnupg/gpg.conf may not have the keyservers configured correctly. I know I kept the same config file through several updates, and the keyservers were no longer valid. I am not sure if hkp://subkeys.pgp.net would work. I am using: keyserver hkp://wwwkeys.us.pgp.net Yes, hkp://subkeys.pgp.net works, it's what I have in my gpg config and what was the default for a while. With gnupg-1.4.9, the default changed to hkp://keys.gnupg.net. Let me share that to me the whole discussion of PGP signatures was very unenlightening. I have no idea how to sign e-mail or validate a pgp signed e-mail All the discussion seemed to me to be aimed at people who knew all about this. I think that was due to nature of the thread. It wasn't started as a How to use PGP thread. Such a thread might be on topic here, though it would fit better on the gnupg-users list. Before anyone gets offended let me admit you might reply RTFM. Certainly, reading the fine manual first is probably the best step. Then, if there are particular things that you have questions about, ask away. Use of PGP/GPG is a rather large subject. I still remember printing the manual from pgp 2.6.2 (100+ pages IIRC). Things are a lot easier to use now, though understanding the concepts behind it is still very beneficial to make good use of it. -- ToddOpenPGP - KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp ~~ If you haven't got anything nice to say about anybody, come sit next to me. -- Alice Roosevelt Longworth (1884-1980) pgpNLpzWISNHs.pgp Description: PGP signature -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: PGP signatures.
On Thu, 2008-05-29 at 15:54 -0500, Mikkel L. Ellertson wrote: Aaron Konstam wrote: On Thu, 2008-05-29 at 11:07 -0500, Mikkel L. Ellertson wrote: Aaron Konstam wrote: On Wed, 2008-05-28 at 16:48 -0500, Mikkel L. Ellertson wrote: gpg --list-keys 1E1C9C17 This does not work for me. Do you have her key in your key ring? If not, you have to run gpg --recv-keys 1E1C9C17 first. Mikkel When I run: gpg --recv-keys 1E1C9C17 I get the following message: [EMAIL PROTECTED] ~]$ gpg --recv-keys 1E1C9C17 gpg: requesting key 1E1C9C17 from http server subkeys.pgp.net gpgkeys: no key data found for http://subkeys.pgp.net/ gpg: no valid OpenPGP data found. gpg: Total number processed: 0 It looks like ~/.gnupg/gpg.conf may not have the keyservers configured correctly. I know I kept the same config file through several updates, and the keyservers were no longer valid. I am not sure if hkp://subkeys.pgp.net would work. I am using: keyserver hkp://wwwkeys.us.pgp.net You are absolutely correct. When I thought about it I realizwed that ther server I want is: hkp://subkeys.pgp.net/ not http://subkeys.pgp.net/, With that change the command works.. My bad. -- === The best audience is intelligent, well-educated and a little drunk. -- Maurice Baring === Aaron Konstam telephone: (210) 656-0355 e-mail: [EMAIL PROTECTED] -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: PGP signatures.
Tim wrote: On Wed, 2008-05-28 at 16:29 +0100, Bill Crawford wrote: What do you do if you encounter a key that's signed by both someone you trust personally, *and* someone you don't trust? I suppose that would depend on whether that was: You didn't know whether to trust them, or you distrusted them. No. If A's key is signed with B's key, and B's key is known to be valid, and you trust that B signs keys responsibly, then A's key is valid, period. Other signatures are completely irrelevant. Nobody can make a key invalid by signing it, no matter how evil or irresponsible or untrustworthy they are. Björn Persson -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: PGP signatures.
On Thu, 2008-05-29 at 15:23 -0500, Aaron Konstam wrote: Let me share that to me the whole discussion of PGP signatures was very unenlightening. I have no idea how to sign e-mail or validate a pgp signed e-mail All the discussion seemed to me to be aimed at people who knew all about this. Before you can make use of pgp in mail, you have to get pgp working. After you've made your own keys, the next thing you'll need is the other party's keys. You've got to be able to manage getting them in some way. *Then* you can move on to actually using them. Though there's probably a understanding how the scheme works process that you need to go through, first, judging by your comments. Start with the documentation, that's where most of the rest of us started, and you're less likely to get given a bum steer by it. -- (This box runs Centos 5.0, my others still run FC 4, 5, 6, 7, in case that's important to the thread.) Don't send private replies to my address, the mailbox is ignored. I read messages from the public lists. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: PGP signatures.
On Tue, 2008-05-27 at 22:10 -0400, Todd Zullinger wrote: Aaron Konstam wrote: I have the file set up as you indicate and evolution indicates the key is invalid. Maybe its evolutions fault. The issue that I was responding to was getting the key automatically retrieved from a keyserver. That is a separate issue from validating the key. If evolution tells you that the key is invalid, it would indicate to me that it did retrieve the key correctly. It then could not find any trusted signatures on that key, thus the key is invalid. For a key to be valid, it needs to be signed by a key to which you have given sufficient trust. Your own key is ultimately trusted. You can assign various levels of trust to other keys (once they have been signed by a trusted key). By default, gpg will consider a key valid if it signed by at least one fully or ultimately trusted key, or by 3 or more marginally trusted keys. Ok, I agree with your analysis. It can't be ruled as invalid if had not been retrieved. But I am ignorant. I do not know how to do the signing processes you describe. Is there a simple explanation available? -- === Beware of the Turing Tar-pit in which everything is possible but nothing of interest is easy. === Aaron Konstam telephone: (210) 656-0355 e-mail: [EMAIL PROTECTED] -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: PGP signatures.
On Wed, 2008-05-28 at 08:04 -0500, Aaron Konstam wrote: On Tue, 2008-05-27 at 22:10 -0400, Todd Zullinger wrote: Aaron Konstam wrote: I have the file set up as you indicate and evolution indicates the key is invalid. Maybe its evolutions fault. The issue that I was responding to was getting the key automatically retrieved from a keyserver. That is a separate issue from validating the key. If evolution tells you that the key is invalid, it would indicate to me that it did retrieve the key correctly. It then could not find any trusted signatures on that key, thus the key is invalid. For a key to be valid, it needs to be signed by a key to which you have given sufficient trust. Your own key is ultimately trusted. You can assign various levels of trust to other keys (once they have been signed by a trusted key). By default, gpg will consider a key valid if it signed by at least one fully or ultimately trusted key, or by 3 or more marginally trusted keys. Ok, I agree with your analysis. It can't be ruled as invalid if had not been retrieved. But I am ignorant. I do not know how to do the signing gpg --sign-key name See gpg(1). poc -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: PGP signatures.
2008/5/28 Patrick O'Callaghan [EMAIL PROTECTED]: gpg --sign-key name --lsign-key, please, unless you have met the person and seen their passport. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: PGP signatures.
On Wednesday 28 May 2008 15:42:18 Mike Chambers wrote: On Wed, 2008-05-28 at 15:36 +0100, Bill Crawford wrote: 2008/5/28 Patrick O'Callaghan [EMAIL PROTECTED]: gpg --sign-key name --lsign-key, please, unless you have met the person and seen their passport. What is mean by name? Guess I am clueless to gpg and don't know my way around it (viewing man gpg at the moment) and nto sure what to do for example, when like someone's signature says invalid from evo on an email to the list? Bear in mind that sometimes minor changes can happen on route. I occasionally see my posts as invalid, yet I can't see anything different about them. Also, one particular list that I use routinely marks my signatures as invalid. I know that that particular one is caused by something routinely added by their server. As usual, this is risk assessment. If you normally get OK messages from that person and get the odd invalid one, look at whether there is anything important, security-wise, and make a decision. If you are getting them all the time then it may be worth deleting that key and asking the person in question to send an .asc file direct to you, which can then be imported. At least you'll know you are checking against a good key. Just a few ideas :-) Anne signature.asc Description: This is a digitally signed message part. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: PGP signatures.
2008/5/28 Mike Chambers [EMAIL PROTECTED]: What is mean by name? Guess I am clueless to gpg and don't know my way around it (viewing man gpg at the moment) and nto sure what to do for example, when like someone's signature says invalid from evo on an email to the list? It's usually the email address listed as the user id for the key (or subkey). I find it easiest to do this via kgpg, actually - you just right click and choose Sign keys from the menu. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: PGP signatures.
On Wed, 2008-05-28 at 09:42 -0500, Mike Chambers wrote: What is mean by name? Guess I am clueless to gpg and don't know my way around it (viewing man gpg at the moment) and nto sure what to do for example, when like someone's signature says invalid from evo on an email to the list? The name of the key to apply the command to, or some other identifying term. You can refer to keys by fingerprints, id codes, usernames, email addresses, etc. It just has to be something that the software can use to work out which key it's supposed to work with. -- (This computer runs FC7, my others run FC4, FC5 FC6, all using Gnome in case that's important to the thread.) Don't send private replies to my address, the mailbox is ignored. I read messages from the public lists. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: PGP signatures.
Tim wrote: Patrick O'Callaghan: gpg --sign-key name Bill Crawford: --lsign-key, please, unless you have met the person and seen their passport. A good idea, but could you tell a forged passport apart from a real one? I'm sure that I couldn't. Likewise for other forms of ID, I couldn't tell a real one from a good fake, and I'd have no way to verify a real ID. Though I seriously doubt that most of use would be using gpg in a way that required such a level of personal identify assurance. I started signing my email to the lists when a couple of messages hit a list with my email address that were not from me. This way, a forged message stands out because of the lack of signature, or a because it is signed by a different key. Mikkel -- Do not meddle in the affairs of dragons, for thou art crunchy and taste good with Ketchup! signature.asc Description: OpenPGP digital signature -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: PGP signatures.
On Wednesday 28 May 2008 17:07:59 Mikkel L. Ellertson wrote: Bill Crawford wrote: 2008/5/28 Mike Chambers [EMAIL PROTECTED]: What is mean by name? Guess I am clueless to gpg and don't know my way around it (viewing man gpg at the moment) and nto sure what to do for example, when like someone's signature says invalid from evo on an email to the list? It's usually the email address listed as the user id for the key (or subkey). I find it easiest to do this via kgpg, actually - you just right click and choose Sign keys from the menu. While you could use the person's name, you can run into more then one key for a person, with different email addresses. For example, I have keys for both my infinity-ltd.com address, and my old execpc.com email address. I probably should revoke the execpc.com address, but there are still some RPMs floating around signed with that key. Besides, I don't remember where I stored the private key for that one. kgpg handles all that seamlessly. I have several people on my keyring that have more than one key. It's also possible to have one key for several addresses, as I do. For those that use kgpg, just take a look at my key. It lists several addresses and is signed by a number of people - yes, they did see my passport :-). Similarly, gpg --list-keys 1E1C9C17 shows all the identities that my key can be used for. Anne signature.asc Description: This is a digitally signed message part. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: PGP signatures.
Patrick O'Callaghan wrote: On Wed, 2008-05-28 at 08:04 -0500, Aaron Konstam wrote: Ok, I agree with your analysis. It can't be ruled as invalid if had not been retrieved. But I am ignorant. I do not know how to do the signing gpg --sign-key name Bzzt! Don't do that. Not unless you have: 1) Verified the details of the key (fingerprint, size, and type, at least) 2) Verified the email address used (perhaps via a simple challenge email asking the key holder to sign some data of your choosing and return it to you) 3) Done some sort of validation that the name on the key is really the name the key holder is known as There is nothing to be gained by just signing a key to make the invalid warning go away. And in fact, it can be harmful. If you use --sign-key and then even send that key to someone else or to a keyserver, others may take your signature to mean that you've done some or all of the verification I mentioned above. If you haven't, you're harming your reputation, as no one wants to trust the signature from someone that doesn't do any verification. (Think of signing a key as you would notarizing a document. You wouldn't stamp your seal on something without some checking.) If you really must silence the warning (and I would argue that there is no point in that), you can use gpg --lsign-key to create a local signature. Such a signature will not ever be exported. -- ToddOpenPGP - KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp ~~ Abandon the search for Truth; settle for a good fantasy. pgpmiEDocizDq.pgp Description: PGP signature -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: PGP signatures.
On Wed, 2008-05-28 at 18:01 +0100, Anne Wilson wrote: [snip] gpg --list-keys 1E1C9C17 shows all the identities that my key can be used for. [EMAIL PROTECTED] ~]$ gpg --list-keys 1E1C9C17 gpg: error reading key: public key not found Got these keyservers enabled in .gnupg/gpg.conf keyserver hkp://keys.gnupg.net keyserver hkp://subkeys.pgp.net keyserver ldap://keyserver.pgp.com No luck with these search links either: http://pgpkeys.pca.dfn.de/pks/lookup?search=1E1C9C17op=vindex http://keyserver.pgp.com/vkd/SubmitSearch.event?SearchCriteria=1E1C9C17 Typo? Regards, Patrick -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: PGP signatures.
On Wednesday 28 May 2008 20:26:19 Patrick O'Callaghan wrote: On Wed, 2008-05-28 at 17:49 +0100, Anne Wilson wrote: On Wednesday 28 May 2008 17:11:07 Mikkel L. Ellertson wrote: Tim wrote: Patrick O'Callaghan: gpg --sign-key name Bill Crawford: --lsign-key, please, unless you have met the person and seen their passport. A good idea, but could you tell a forged passport apart from a real one? I'm sure that I couldn't. Likewise for other forms of ID, I couldn't tell a real one from a good fake, and I'd have no way to verify a real ID. Though I seriously doubt that most of use would be using gpg in a way that required such a level of personal identify assurance. I started signing my email to the lists when a couple of messages hit a list with my email address that were not from me. This way, a forged message stands out because of the lack of signature, or a because it is signed by a different key. For me, it was when someone accused me of sending a virused email, again on a forged message. Anne, your signature on a message guarantees that you sent it (actually all it does is guarantee that it was sent by someone with access to your private key, but anyway), however the absence of your signature doesn't guarantee that you didn't send it. Your protestations that you always sign your mail have the same weight as saying you don't send viruses, so I don't see the gain in this specific example. I tried to explain about looking at headers and comparing the originating IP with a message known to be from me, but that was too much for the person in question. As you say, the presence of my key shows that it originated from one of my computers. That's good enough for the purpose. It is important, though, to maintain the web-of-trust. It does have legal implications, and that's why local signing is an option. IANAL etc. etc. but what is your basis for saying it has legal implications? Some PKI systems may indeed have them, but GPG is not a PKI system. IANAL either, but I understand that there have been contracts accepted in law on the strength of such a signature. Of course that has no relevance for me :-) What exactly do you mean by 'GPG is not a PKI system'? Anne signature.asc Description: This is a digitally signed message part. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: PGP signatures.
On Thu, 2008-05-29 at 10:38 +0930, Tim wrote: On Wed, 2008-05-28 at 17:49 +0100, Anne Wilson wrote: It is important, though, to maintain the web-of-trust. It does have legal implications, and that's why local signing is an option. I use encryption for correspondence with one person, and for that I have to use ultimate trust, yet I've never met him. I don't recall being required to ultimately trust someone to send them encrypted mail. I'd call that a foolhardy thing, too. It'd be better to set your mailer to trust people on your keyring - that affects what you do with the keys, rather than inappropriately bodging the keys, themselves. Slightly OT, but what the hell: we should realize that trusting keys isn't the same as trusting people. Trust as applied to PGP/GPG keys means I believe this key belongs to this person (e.g. because the person physically gave me the public key and demonstrated that he could sign things with the corresponding private one). It does *not* mean I trust this person not to lie to me or do evil with the information I send him. It's unfortunate that the web-of-trust notion has taken on a semantic overlay that doesn't fit, due in large part to the unfortunate choice of terminology. poc -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: PGP signatures.
Patrick O'Callaghan wrote: Slightly OT, but what the hell: we should realize that trusting keys isn't the same as trusting people. Trust as applied to PGP/GPG keys means I believe this key belongs to this person (e.g. because the person physically gave me the public key and demonstrated that he could sign things with the corresponding private one). It does *not* mean I trust this person not to lie to me or do evil with the information I send him. It's unfortunate that the web-of-trust notion has taken on a semantic overlay that doesn't fit, due in large part to the unfortunate choice of terminology. A good point. In a few talks I've given on OpenPGP, I tried to make the distinction that validity is for keys, and trust if for people. And that this trust is (sort of like you say) in the sense of I trust this person to properly validate keys and not in the I trust this person is a completely decent human. :) -- ToddOpenPGP - KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp ~~ I believe in the noble, aristocratic art of doing absolutely nothing. And someday, I hope to be in a position where I can do even less. pgp1U3kgUWZtm.pgp Description: PGP signature -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: PGP signatures.
Mike Chambers wrote: On Tue, 2008-05-27 at 10:43 -0500, Mikkel L. Ellertson wrote: I wish people sign their messages using PGP would make sure to upload their public key to one of the key servers. While it does not prove you are who you say you are, it would indicate that all the signed messages are from the same person. Without your public key, we have no way to check. Accoring to evo (Unless it's not pointing to a correct place), yours isn't public neither :P gpg: armor header: Version: GnuPG v1.4.7 (GNU/Linux) gpg: Signature made Tue 27 May 2008 10:43:15 AM CDT using DSA key ID 6DC9C8C4 gpg: Can't check signature: public key not found That is strange - It was sent a few years ago, as well as being published on my web page. Mikkel -- Do not meddle in the affairs of dragons, for thou art crunchy and taste good with Ketchup! signature.asc Description: OpenPGP digital signature -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: PGP signatures.
Dennis Gilmore wrote: On Tuesday 27 May 2008, Mike Chambers wrote: On Tue, 2008-05-27 at 10:43 -0500, Mikkel L. Ellertson wrote: I wish people sign their messages using PGP would make sure to upload their public key to one of the key servers. While it does not prove you are who you say you are, it would indicate that all the signed messages are from the same person. Without your public key, we have no way to check. Accoring to evo (Unless it's not pointing to a correct place), yours isn't public neither :P gpg: armor header: Version: GnuPG v1.4.7 (GNU/Linux) gpg: Signature made Tue 27 May 2008 10:43:15 AM CDT using DSA key ID 6DC9C8C4 gpg: Can't check signature: public key not found kmail says it cant be found either Surprising. Enigmail told me it was an UNTRUSTED Good Signature from Mikkel L. Ellertson Dennis -- Kevin J. Cummings [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Registered Linux User #1232 (http://counter.li.org) -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: PGP signatures.
On Tue, 2008-05-27 at 12:37 -0400, Kevin J. Cummings wrote: Dennis Gilmore wrote: On Tuesday 27 May 2008, Mike Chambers wrote: On Tue, 2008-05-27 at 10:43 -0500, Mikkel L. Ellertson wrote: I wish people sign their messages using PGP would make sure to upload their public key to one of the key servers. While it does not prove you are who you say you are, it would indicate that all the signed messages are from the same person. Without your public key, we have no way to check. Accoring to evo (Unless it's not pointing to a correct place), yours isn't public neither :P gpg: armor header: Version: GnuPG v1.4.7 (GNU/Linux) gpg: Signature made Tue 27 May 2008 10:43:15 AM CDT using DSA key ID 6DC9C8C4 gpg: Can't check signature: public key not found kmail says it cant be found either Surprising. Enigmail told me it was an UNTRUSTED Good Signature from Mikkel L. Ellertson Untrusted just means you haven't decided to trust it. You probably need the gpg command line to do that (can't remember as I haven't used Enigmail in a while). poc -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: PGP signatures.
Dennis Gilmore wrote: On Tuesday 27 May 2008, Mike Chambers wrote: Accoring to evo (Unless it's not pointing to a correct place), yours isn't public neither :P gpg: armor header: Version: GnuPG v1.4.7 (GNU/Linux) gpg: Signature made Tue 27 May 2008 10:43:15 AM CDT using DSA key ID 6DC9C8C4 gpg: Can't check signature: public key not found kmail says it cant be found either Do you guys have keyserver-options auto-key-retrieve in ~/.gnupg/gpg.conf? (Or do evo and kmail ignore gpg.conf and retrieve keys automatically regarless?) Also, what keyserver are you using? The gnupg default these days is subkeys.pgp.net, which finds Mikkel's key no problem. Trying with pgp.mit.edu (which many people still use despite it being broken with subkeys and not support photo-packets) finds the key as well, but a bit slower. -- ToddOpenPGP - KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp ~~ You can get more with a kind word and a gun than you can with a kind word alone. -- Al Capone (1899-1947) pgp4VVs9P89wo.pgp Description: PGP signature -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: PGP signatures.
On Tuesday 27 May 2008 17:31:34 Dennis Gilmore wrote: On Tuesday 27 May 2008, Mike Chambers wrote: On Tue, 2008-05-27 at 10:43 -0500, Mikkel L. Ellertson wrote: I wish people sign their messages using PGP would make sure to upload their public key to one of the key servers. While it does not prove you are who you say you are, it would indicate that all the signed messages are from the same person. Without your public key, we have no way to check. Accoring to evo (Unless it's not pointing to a correct place), yours isn't public neither :P gpg: armor header: Version: GnuPG v1.4.7 (GNU/Linux) gpg: Signature made Tue 27 May 2008 10:43:15 AM CDT using DSA key ID 6DC9C8C4 gpg: Can't check signature: public key not found kmail says it cant be found either Oh? Message was signed by [EMAIL PROTECTED] (Key ID: 0xA9B42B556DC9C8C4). The signature is valid, but the key's validity is unknown. Anne signature.asc Description: This is a digitally signed message part. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: PGP signatures.
On Tuesday 27 May 2008 18:24:01 Patrick O'Callaghan wrote: On Tue, 2008-05-27 at 12:37 -0400, Kevin J. Cummings wrote: Dennis Gilmore wrote: On Tuesday 27 May 2008, Mike Chambers wrote: On Tue, 2008-05-27 at 10:43 -0500, Mikkel L. Ellertson wrote: I wish people sign their messages using PGP would make sure to upload their public key to one of the key servers. While it does not prove you are who you say you are, it would indicate that all the signed messages are from the same person. Without your public key, we have no way to check. Accoring to evo (Unless it's not pointing to a correct place), yours isn't public neither :P gpg: armor header: Version: GnuPG v1.4.7 (GNU/Linux) gpg: Signature made Tue 27 May 2008 10:43:15 AM CDT using DSA key ID 6DC9C8C4 gpg: Can't check signature: public key not found kmail says it cant be found either Surprising. Enigmail told me it was an UNTRUSTED Good Signature from Mikkel L. Ellertson Untrusted just means you haven't decided to trust it. You probably need the gpg command line to do that (can't remember as I haven't used Enigmail in a while). And it needs to be signed as a local trust, not uploadable, since you haven't verified that Mikkel isn't actually Yul Brynner :-) man gpg explains all. Anne signature.asc Description: This is a digitally signed message part. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: PGP signatures.
Aaron Konstam wrote: I have the file set up as you indicate and evolution indicates the key is invalid. Maybe its evolutions fault. The issue that I was responding to was getting the key automatically retrieved from a keyserver. That is a separate issue from validating the key. If evolution tells you that the key is invalid, it would indicate to me that it did retrieve the key correctly. It then could not find any trusted signatures on that key, thus the key is invalid. For a key to be valid, it needs to be signed by a key to which you have given sufficient trust. Your own key is ultimately trusted. You can assign various levels of trust to other keys (once they have been signed by a trusted key). By default, gpg will consider a key valid if it signed by at least one fully or ultimately trusted key, or by 3 or more marginally trusted keys. -- ToddOpenPGP - KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp ~~ Ambition is a poor excuse for not having enough sense to be lazy. pgplwJbVpil0g.pgp Description: PGP signature -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
