Re: Primary certify-only key?
David Shaw schrieb: On Wed, Aug 03, 2005 at 07:26:38PM +0200, Thomas Kuehne wrote: Is there a way to generate the following key collection with GnuPG? pub 4096R usage: C sub 4096R usage: S The problem is that I cant create the first key with only C the capability. Using the --expert option and disabling E, S and A results in CSEA. Try the attached patch (to 1.4.2). Thanks for the patch Thomas ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: libgcrypt again: error conflicting use in gcry_pk_encrypt
at least a managed it. code: void EncryptSessionKey(gcry_sexp_t encSessionKey, unsigned char* SessionKey, gcry_sexp_t pKey) { gcry_mpi_t a; gcry_sexp_t sexp; size_t KeyLength; int rc; KeyLength = gcry_md_get_algo_dlen(SelectedHash); //TODO: some padding with sessionkey rc = gcry_mpi_scan(a, GCRYMPI_FMT_USG, SessionKey, KeyLength, KeyLength); if(rc) throw GeneralError(MPI scan failed.\n%s\n, gpg_strerror( rc )); rc = gcry_sexp_build(sexp, NULL, %m, a); if(rc) throw GeneralError(Unable to build S-Expression.\n%s\n, gpg_strerror( rc )); rc = gcry_pk_encrypt(encSessionKey, sexp, pKey); if(rc) { gcry_sexp_release(sexp); throw GeneralError(Unable to encrypt session key.\n%s\n, gpg_strerror( rc )); } return; } greetings Claudia Reuter wrote: hi everybody. so now I try to create a session key to encrypt my text files. this seems to work. the session key must of course be encrypted with some public key. Now an error conflicting use occurs in the gcry_pk_encrypt function. Maybe anyone could tell me what's wrong. gcry_md_open( Hash , SelectedHash , 0 ); // Retrive digest size HashDigestSize = gcry_md_get_algo_dlen( SelectedHash ); Salt = (unsigned int*)gcry_random_bytes( SelectedSaltLength , GCRY_STRONG_RANDOM ); // Add salt to hash gcry_md_write( Hash , Salt , SelectedSaltLength ); // Fetch digest HashResult = gcry_md_read( Hash , SelectedHash ); //HashResult = (unsigned char*) malloc(SelectedSaltLength*sizeof(char)); //gcry_randomize(HashResult, SelectedSaltLength, GCRY_STRONG_RANDOM); rc = gcry_sexp_build(sexp, NULL, (data (flags pkcs1) (hash sha256 %b)), HashDigestSize, HashResult); if(rc) { throw GeneralError( Unable to build S-Expression. %s\n , gpg_strerror( rc ) ); } rc = gcry_pk_encrypt(sexpSessionKey, sexp, pKey); if(rc) { throw GeneralError( Unable to encrypt session key. %s\n, gpg_strerror( rc ) ); } Thanks in advance. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: SKS v. unknown HTTP headers (was: Re: IPv6 failover?)
On Thu, Aug 04, 2005 at 07:54:09AM -0400, David Shaw wrote: On Thu, Aug 04, 2005 at 12:24:27AM -0400, Jason Harris wrote: Thus, in reality, the Expect: 100-continue header appears to be confusing SKS (during POSTs). Hmm. No really good way to fix that in GPG or curl since they can't detect that a server is 1.0 without doing a GET first. Curl, if I Disregard that. It isn't the Expect: header, it was the [s]scanf. This patch fixes it: diff -u -r1.5 dbserver.ml --- dbserver.ml +++ dbserver.ml @@ -415,8 +415,9 @@ let request = Wserver.strip request in match request with /pks/add - - let keytext = Scanf.sscanf body keytext=%s (fun s - s) in + let keytext = Scanf.sscanf body keytext%s (fun s - s) in let keytext = Wserver.decode keytext in + let keytext = Str.string_after keytext 1 in let keys = Armor.decode_pubkey keytext in plerror 3 Handling /pks/add for %d keys (List.length keys); -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? [EMAIL PROTECTED] _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 pgpIDzPHesXTN.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Proof of email ownership
Hello, I just installed GnuPG to Thunderbird, created a key pair and uploaded it to a keyserver. I have expected to receive some mail designed to verify that I really own the email address (similar to the one that just received to subscribe to this list), but I did not receive any. How can people know that I own the address if GnuPG did not check it? My next idea was that GnuPG is multipurpose cryptographic software and I need to get some special signature verifying that I own specific mail. I was looking for a way to accomplish that, but I have not found any. Are there any servers/bots that can verify that I own mail and then sign my key to certify that? Regards, David Srbecky ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Save signature in mail headers
Hello, I would like to sign all my mail, but I do not want to annoy people that have incompatible e-mail clients with extra attachment file or signature in the text of the message. Is it possible to send the signature in mail headers? Regards, David Srbecky ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Proof of email ownership
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 David Srbecky wrote: Hello, I just installed GnuPG to Thunderbird, created a key pair and uploaded it to a keyserver. I have expected to receive some mail designed to verify that I really own the email address (similar to the one that just received to subscribe to this list), but I did not receive any. How can people know that I own the address if GnuPG did not check it? My next idea was that GnuPG is multipurpose cryptographic software and I need to get some special signature verifying that I own specific mail. I was looking for a way to accomplish that, but I have not found any. Are there any servers/bots that can verify that I own mail and then sign my key to certify that? Regards, David Srbecky ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users The understanding I have is that you have to establish trusts with people. All the keyserver does is shows that someone using your e-mail address signed the message. The individual who receives the e-mail has to establish trust for the key. They do that either by contacting you via another method for confirmation, or meeting you at a 'keysigning' where you establish a face to face with other people. I'm relatively new to all of this myself, but I'm pretty sure I read that in the gnupg.org website. That would be your best source of information, short of other more experienced people replying here. Patrick Dickey. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFC8/lulYHHywHZe7ARAr+dAJ41Oc2YTmTH2+QTPI1hGyrguD1mWwCfZ/XW cM4sWyXs9A7/2MmWUNICgWE= =ZxWi -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Save signature in mail headers
-BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 In reply to David Srbecky's message sent 2005-08-05 17:43: I would like to sign all my mail, but I do not want to annoy people that have incompatible e-mail clients with extra attachment file or signature in the text of the message. Is it possible to send the signature in mail headers? It's possible to engineer a MUA to do that, but there's no use without a recipient who has the same magic box :-( DomainKeys and similar schemes can authenticate you as a sender from a particular network, but not specifically from your email address, nor can they provide message authentication. You're stuck with the standards if you want to communicate with others using PKCS. If you want to make sure your message can be authenticated, you'd best choose non-opaque (clear) signing whether OpenPGP or S/MIME. This way, you don't force the recipient to possess your public key in order to read your message, or suffer other consequences should their MUA lack support for your message type. If they want or have a need to authenticate your message, they'll request your public key. - -- Mike Daigle http://www.mikedaigle.ca My PGP Key mailto:[EMAIL PROTECTED] Gossamer Spider Web of Trust http://www.gswot.org Get Your Own Subdomain! http://www.gswot.org/yourname -BEGIN PGP SIGNATURE- Comment: GSWoT - Gossamer Spider Web of Trust - www.gswot.org iD8DBQFC9AdWNuccKlqTLlMRA2XgAJ4n5pBJIEaOhUuZPGY3ElQCKuapcACfTqHY tIm40GMriqbBRU814120Q60= =PkeT -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Proof of email ownership
-BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 In reply to David Srbecky's message sent 2005-08-05 17:36: I just installed GnuPG to Thunderbird, created a key pair and uploaded it to a keyserver. I have expected to receive some mail designed to verify that I really own the email address (similar to the one that just received to subscribe to this list), but I did not receive any. How can people know that I own the address if GnuPG did not check it? GnuPG is a cryptographic application. It verifies digital signatures, not email addresses. My next idea was that GnuPG is multipurpose cryptographic software and I need to get some special signature verifying that I own specific mail. I was looking for a way to accomplish that, but I have not found any. There is no magic bullet :-( A signature is only special to the one who recognizes it. Some people trust my sig, while others have no cause to. The same goes for bots and CA's. That's why the web of trust is important. The more signatures you get on your key, the greater the odds someone who receives your key sees a signature of someone they trust. Are there any servers/bots that can verify that I own mail and then sign my key to certify that? The PGP Global Directory will only publish UID's bearing email addresses that you confirm. https://keyserver-beta.pgp.com/vkd/GetWelcomeScreen.event The Robot CA at toehold.com will also similarly validate your email address. http://www.toehold.com/robotca/ There are other organized webs of trust around like Thawte Consulting (www.thawte.com), CAcert (www.cacert.org) and the Gossamer Spider Web of Trust (www.gswot.org). Thawte is a commercial CA (only good for X.509 unless you use a compatable RSA OpenPGP key). CAcert is a not-for-profit CA (X.509 and OpenPGP; trying for browser inclusion). GSWoT is a grassroots organization that endorses CAcert Assurers, Thawte Notaries, and other internally produced assurers to enhance the OpenPGP web of trust. These entities perform identity assurance. You won't get a signature for proving access to an email address. - -- Mike Daigle http://www.mikedaigle.ca My PGP Key mailto:[EMAIL PROTECTED] Gossamer Spider Web of Trust http://www.gswot.org Get Your Own Subdomain! http://www.gswot.org/yourname -BEGIN PGP SIGNATURE- Comment: GSWoT - Gossamer Spider Web of Trust - www.gswot.org iD8DBQFC9AZaNuccKlqTLlMRA2/NAKDZNFcuuoAhUAbKGZBMrp2z2wcCaACgq9UA X8336TQYfwdNfIpm0mxshtI= =0s6L -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users