Re: OpenPGP Card
Benjamin Donnachie wrote: Alon Bar-Lev [EMAIL PROTECTED] wrote: I think that gpg should support PKCS#11 interface for smartcards, so that it can be used with all smartcards that support this standard. I've had a quick look at the PKCS#11 and I think that you may have a point! I don't understand why gpg developers choose to implement their own smartcard standard... Nor me - the OpenPGP card seems to be anything but open to me! Finally someone who understand... I had no such luck with Werner Koch, who argues that OpenPGP card is standard... I've promised him to not bother any more with this issue... The most reasonable claim I've got was the licensing issue... But nobody succeeded in proving that there is a licensing problem. I think MUSCLE (Movement for the Use of SmartCards in a Linux Environment http://www.linuxnet.com) uses PKCS - I could be wrong though, I need to read through it in more detail. Yes... I don't think there is a problem with licensing... All problems are in result of an approach that each application may define how its smartcard should be built. This approach like any other proprietary approach will disappear along with its software, as it was with other software that did not support generic devices like printers, modems etc... You can look for messages with PKCS#11 support for gpg-agent subject for future information at gnupg-users. I saw that... Perhaps we should fork GPG and work on a PKCS#11 compliant version... I'm fairly new to smartcards, but I have a fair bit of other programming experience... I don't think it would be too difficult to implement with the libraries that are available once I get hold of a suitable card... I don't think it is wise... There are some suitable cards that provide PKCS#11 in Linux, forcing your card to use gpg will not allow you to use it with your browser or with your standard mail client. Just a thought... why do you use gpg? which feature you require? Maybe there are some alternatives without using proprietary hardware. Best Regards, Alon Bar-Lev. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: PKCS#11 support for gpg-agent
Alon Bar-Lev wrote: When PGP was invented there WAS NO standard to send and receive signed and encrypted messages, so PGP have implemented a proprietary method. Then, PGP tried to propose it as a standard... OpenPGP... But they have failed... It was not widely adopted... S/MIME was the standard adopted by the world, and PGP and gpg had to catch up. I thing one should learn from history and not invent any new standard, especially when such already exists, implemented and adopted. You are wrong in this regard: PGP is widely adpopted (and what is your definition of the world?). And it makes perfectly sense to have both worlds. OpenPGP offers a completely different trust model which suits the needs of some users very well (you can establish a web of trust with anyone without overhead) while S/MIME (or better: X.509) uses a centralized, CA- based model. For some applications I would never trust a commercial certification authority, so in X.509 you have to operate your own CA... Both S/MIME and OpenPG are standards (S/MIME v.1 was more or less proprietary stuff), you might have a look at the according IETF working groups (http://www.ietf.org/). I don't meant to write another agent. Write a pkcs#11 driver which uses gpg-agent as its token. This is the WRONG WRONG WRONG approach!!! Why? The _only_ purpose of gpg-agent is to ask you for a password and to keep that password in memory. You could use gpg-agent for _any_ application that requires a password. No... the purpose of gpg-agent is to allow gpg to access private (secret) keys that are located in different physical location such as smartcards... From my point of view this is THE MAJOR feature of gpg-agent... Well, you might have a look at KMail, which uses all the GPG 1.9 stuff. I was impressed by having a key manager, a smart card daemon and the easy interface of gpg-agent. This framework does far more than any PKCS11- implementation: For exampel it is able to handle revocation lists and OCSP-queries. This enables applications to use S/MIME without re-inventing the wheel. So please be fair: Both S/MIME and PGP have their advantages and disadvantages. And GPG seems to be on the way to be able to handle both. This sounds like a good idea to me. Cheers, Olaf -- Dipl.Inform. Olaf Gellert PRESECURE (R) Senior Researcher, Consulting GmbH Phone: (+49) 0700 / PRESECURE [EMAIL PROTECTED] A daily view on Internet Attacks https://www.ecsirt.net/sensornet ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP Card
Joerg Schmitz-Linneweber wrote: Hi Alon! I would like to see support for PKCS#11 too but... (won't elaborate on this now ;-) I will be glad if you will... It seems that I am the only one that don't understand gpg motivation. Regarding the open-ness of OpenGPG: Why do you (and Benjamin) think its not open (enough)? The specs are there and you are free to implement both sides of the (smart) card. For me the specs allow(ed) it to try implementing OpenGPG on a IBM JavaCard (and it *would* be possible to have a JavaCard implement OpenGPG in parallel to PKCS#11...) Just my 2cts... Salut, Jörg This is EXACTLY the problem. If you have a RSA private key and X.509v3 certificate that refers to the public key, you expect this key to be shared among all applications that you use. If you had to write an separate applet and provider for each application you make the cost of smartcard integration EXTREMELY high! On the other hand, if you implement a software API for accessing a generic smartcard, then you don't need to implement any special software in order to use smartcard type A or smartcard type B. This is all PKCS#11 is about (Or Microsoft CSP in Windows environment...) It provides a generic API to access cryptographic tokens. Most smartcard vendors, including IBM, provide PKCS#11 library that communicates with their card. PKCS#11 application can benefit from it as well as the user... No proprietary code should be written in order to make your software work with your hardware. Best Regards, Alon Bar-Lev. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP Card
On Fri, 02 Sep 2005 18:45:53 +0300, Alon Bar-Lev said: environment...) It provides a generic API to access cryptographic tokens. Most smartcard vendors, including IBM, provide PKCS#11 library that communicates with their card. Again: Feel free to provide one. The only thing you need is libassuan to connect to gpg-agent. libassuan is even under LGPL so you can use it with any kind of application - just put it into a shared library. If something should be missing in gpg-agent to implement this, I will help by adding the required facilities. However, I don't have the time to write a pkcs#11 library for gpg-agent/scdaemon for free. If this is that important for you and you don't want to do it yourself, well ask me at my company address. Shalom-Salam, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: PKCS#11 support for gpg-agent
Hello, You are wrong in this regard: PGP is widely adpopted (and what is your definition of the world?). And it makes perfectly sense to have both worlds. I won't argue with that... But the trend is not in favor of PGP. OpenPGP offers a completely different trust model which suits the needs of some users very well (you can establish a web of trust with anyone without overhead) while S/MIME (or better: X.509) uses a centralized, CA- based model. For some applications I would never trust a commercial certification authority, so in X.509 you have to operate your own CA... You are wrong! You can use self-signed certificates in a trust model similar to PGP. Both S/MIME and OpenPG are standards (S/MIME v.1 was more or less proprietary stuff), you might have a look at the according IETF working groups (http://www.ietf.org/). True... I know... But S/MIME standard is the one which is implemented in every mail client program... not PGP... Well, you might have a look at KMail, which uses all the GPG 1.9 stuff. I was impressed by having a key manager, a smart card daemon and the easy interface of gpg-agent. This framework does far more than any PKCS11- implementation: For exampel it is able to handle revocation lists and OCSP-queries. This enables applications to use S/MIME without re-inventing the wheel. You don't understand what PKCS#11 is Maybe that is the reason for all of these arguments... PKCS#11 is an API needed to access cryptographic token. PKCS#11 is NOT OCSP or PKI or X.509. It just specify how application should access a cryptographic token that can perform hashing, symmetric and asymmetric key operation, key handling etc... A typical application need to use PKCS#11 __ONLY__ for the following purposes: 1. Perform operation with private key located on token. 2. Fetch X.509v3 Digital Certificates from the token (User identities). So please be fair: Both S/MIME and PGP have their advantages and disadvantages. And GPG seems to be on the way to be able to handle both. This sounds like a good idea to me. I am sorry, but I don't agree. I don't find any advantage to keep OpenPGP formats. There is PKCS#7 for signed/enveloped data and S/MIME that uses PKCS#7 for email. Using self-signed certificates and PKCS#7 and S/MIME you get a full replacement for PGP... It will take several years, but eventually it will happen. Even pgp corp (www.pgp.com) understood that its future is in S/MIME and PKI, so they adjusting their product toward it. My initial request was to consider supporting PKCS#11 standard in order to access keys that are located cryptographic tokens, in stead of using a proprietary card format... This should be done regardless of our small debate regarding S/MIME and PGP. I hope you read more regarding PKCS#11 www.rsasecurity.com/rsalabs/pkcs/pkcs-11/index.html and understand its role in cryptographic application and that gpg can benefit from it. Best Regards, Alon Bar-Lev. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: PKCS#11 support for gpg-agent
On Fri, 02 Sep 2005 15:30:29 +0300, Alon Bar-Lev said: Most pkcs#11 stuff is not GPL compatible. But it does not say that GPLed software cannot use PKCS#11 interface in order to access none GPLed tokens! Read the GPL again and you will see that this is not possible. I am sorry to read that... I think it is a good standard... Just like any RSA Security PKCS#* standard... at least it is a standard that most programmers like PKCS#12 :-) I don't understand why you guys did not rewritten the PKCS#7, PKCS#1, PKCS#8, PKCS#9 pkcs#7 is nowadays called CMS. It is used by gpgsm. pkcs#1 is even part of OpenPGP. The whole new work of gpg 1.9 was to migrate to S/MIME... Why!?!?!?! You could have been very happy in your close PGP format world. Even if the standards are ugly, they at least work! Depends on the standard. I am responsible of replacing software/suggest correct software for using smartcards. Currently gpg is on my black list... And because of this I tried to As said in my other mail to gnupg-devel: If you have a commercial interest. talk to me about implementing pcsk#11 - but don't expect to get something for free. I have laid out the path on how to implement a pkcs#11 library to make use of gpg-agent/scdaemon as a token. It is also possible to write a pkcs#11 thingy for just that card. I don't meant to write another agent. Write a pkcs#11 driver which uses gpg-agent as its token. This is the WRONG WRONG WRONG approach!!! Well, my opinion is different. Salam-Shalom, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: PKCS#11 support for gpg-agent
On Fri, 02 Sep 2005 18:21:06 +0300, Alon Bar-Lev said: Yes... But why? What was the reason to work so hard in adding S/MIME? The answer for my opinion is that IT IS A STANDARD!!! I am sorry to correct you. No mental sane hacker would voluntary implement X.509 stupidity. The reason why we wrote gpgsm was real trivial: We have been convinced by means of money to undertake this. When PGP was invented there WAS NO standard to send and receive signed and encrypted messages, so PGP have implemented a proprietary method. PEM dates back to 1987 (rfc989) quite some years before PGP was written. Then, PGP tried to propose it as a standard... OpenPGP... But they have failed... It was not widely adopted... It may not be widely adopted but nevertheless it is the standard to make sure that confidential information can be send over the Internet. It is used all over the Net and major industry players are using it and even requring that suppkiers are using PGP. The IETF has not decided whether OpenPGP or S/MIME will be the preferred standard. No... the purpose of gpg-agent is to allow gpg to access private (secret) keys that are located in different physical location such as smartcards... From my point of view this is THE MAJOR feature of gpg-agent... The major feature is to encapsulate operations involving a private key into one modul - optionally to be run on a different device. For practical reasons gpg-agent also allows the use of smartcards. The passphrase caching is a bonus so that no second tool (like Quintuple Agent) is needed for gpg versions which are not yet able to delegate private key operations to the agent. Shalom-Salam, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP Card
Werner Koch wrote: On Fri, 02 Sep 2005 18:45:53 +0300, Alon Bar-Lev said: environment...) It provides a generic API to access cryptographic tokens. Most smartcard vendors, including IBM, provide PKCS#11 library that communicates with their card. Again: Feel free to provide one. The only thing you need is libassuan to connect to gpg-agent. libassuan is even under LGPL so you can use it with any kind of application - just put it into a shared library. 1. Athena smartcard http://www.athena-scs.com provides Linux and Windows PKCS#11. 2. Algorithmic Research smartcard http://www.arx.com provides Linux and Windows PKCS#11. 3. Aladdin smartcard http://www.ealaddin.com using opensc. 4. nCipher HSM http://www.ncipher.com 5. SafeNet HSM http://www.safenet-inc.com I can find more... You can refer to opensc and see some more (I didn't tried them)... http://www.opensc.org/files/doc/opensc.html#opensc.status.cards Then you can use the opensc PKCS#11 library http://www.opensc.org/files/doc/opensc.html#opensc.pkcs11 If something should be missing in gpg-agent to implement this, I will help by adding the required facilities. However, I don't have the time to write a pkcs#11 library for gpg-agent/scdaemon for free. If this is that important for you and you don't want to do it yourself, well ask me at my company address. I don't understand why you keep insisting of writing a library... You need to use a library not implement one. All you need to do is to use several PKCS#11 methods: 1. login, find correct object, perform decryption (RSA), logout. 2. login, extract X509 certificates, logout. May I understand that you agree that gpg-agent should support PKCS#11 as a mean to interact with cryptographic tokens? This was my original request... The when and how can be determine... But I will be glad if we can agree that it should be done... Best Regards, Alon Bar-Lev. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
GnuPG Large File Issues - Windows
I am hoping to use GnuPG to encrypt some database flat file backups. My initial testing worked great, no issues. However I have started testing with some slightly larger files - currently 5.7GB in size. I have tried it with the default compression on and with a '-z 0'. The gpg file gets created with no issues in either case. When I try to decrypt it though I get the following error: gpg: encrypted with 2048-bit ELG-E key, ID C8D07746, created 2005-09-02 System Administrator [EMAIL PROTECTED] gpg: [don't know]: invalid packet (ctb=00) gpg: WARNING: encrypted message has been manipulated! gpg: [don't know]: invalid packet (ctb=06) This happens at the 1.5GB mark every time. I saw this from the archives: http://bugs.guug.de/db/13/1361-b.html Has this been fixed in the newer releases? Or am I missing something obvious? Additional Details: Running on Windows 2000 SP4 Using GnuPG 1.4.2 (installed via the installer package to c:\GnuPG) To encrypt I am using this command line: 'gpg --encrypt-files -r System Administrator -z 0 filename_5.7GB_in_size' To decrypt I am using this command line: 'gpg --decrypt0files filename_5.7GB_in_size.gpg' Any assistance or suggestions would be greatly appreciated! Just let me know if I left a piece of information out that you may need. Thanks! Jeffrey ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP Card
On Fri, 02 Sep 2005 16:13:45 +0300, Alon Bar-Lev said: Finally someone who understand... I had no such luck with Werner Koch, who argues that OpenPGP card is standard... Well it is as much a standard as pkcs#15 is one. Who decides what a standard is? RSA Corporation defines standards known as PKCS, we define an ISO7816 compliant standard for a card, dubbed OpenPGP card. You may use this one or do it like 99% of the smartcard vendors and use a proprietary card application where the specs are in the best case only available under NDA. an approach that each application may define how its smartcard should be built. This approach like any other proprietary approach will disappear along with its software, Huh? It is not about a particular application, it just happens that gpg suuports this card. There are other application unrelated to gpg also using this card, for example the Poldi PAM. I also know of other projjects using this card - just because it is well defined and the specs are open. I don't think it is wise... There are some suitable cards that provide PKCS#11 in Linux, Please go an read the standard before talking about it: No card implements PKCS#11 because that is an API between a token provider and an application. No ISO compliant card will be able to implement PKCS#11. You might be thinking about pkcs#15 - this is indeed a standard which defines how a card application may appear to software. However there are many variants of pkcs#15, it is complicated and experience showed that it didn't helped much with interoperability. Given that card application are pretty small beasts, it seems to me far easier to add its counterpart to the host application than to hammer it into a limited framework. Salam-Shalom, Werner -- An engineer, a chemist, and a standards designer are stranded on a desert island with absolutely nothing on it. One of them finds a can of spam washed up by the waves. The engineer says Taking the strength of the seams into account, we can calculate that bashing it against a rock with a given force will open it up without destroying the contents. The chemist says Taking the type of metal the can is made of into account, we can calculate that further immersion in salt water will corrode it enough to allow it to be easily opened after a day. The standards designer gives the other two a condescending look, gazes into the middle distance, and begins Assuming we have an electric can opener - from Peter Gutman's X.509 Style Guide ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Multiple signatures on a single file
Is it possible to have multiple persons sign a single file? If so, how is this done? The particular scenario is currently this: Employees submit expense reports for business travel using a spread sheet. Current practise is the the employee fills out spread sheet via computer (or optionally prints blank spread sheet template and writes by hand with a pen), physically signs using pen and ink, physically delivers signed hardcopy to supervisor for supervisor pen-and-ink signature prior to payment processing. Desired practise is to eliminate both producing hard copy and pen-and-ink signatures, and then re-work the process using gpg electronic signatures. Thus, employee would enter data into expense report spread sheet, save, gpg sign, mail to supervisor, supervisor would (presumably) open and review spread sheet, close without changing, gpg sign, and then return to employee or forward to accounting dept. Sounds straightforward, but I didn't spot in the various manuals/guides/how-to's for gnupg how a second individual could add their signature after me. -- BMT ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: PKCS#11 support for gpg-agent
Thank you Olaf, I see your point regarding PKI, I am familiar with it. I want to focus the discussion for the smartcard support, this was my original issue and we then moved to a different discussion... I have a lot to say in that matter... but first I will study you documents to understand your position more clearly... I want to come back to the issue of using a standard API to access the cryptographic token. Well, you might have a look at KMail, which uses all the GPG 1.9 stuff. I was impressed by having a key manager, a smart card daemon and the easy interface of gpg-agent. This framework does far more than any PKCS11- implementation: For exampel it is able to handle revocation lists and OCSP-queries. This enables applications to use S/MIME without re-inventing the wheel. You don't understand what PKCS#11 is Maybe that is the reason for all of these arguments... Well, you might have a look at this report that was done by myself and a colleague of mine: http://www.dfn-pca.de/bibliothek/reports/pki-token/ You might think twice before saying such things again... First I am regret if I offended you. But having written this document how could you state your previous statement? This framework does far more than any PKCS11-implementation??? I am confused... If you know that all what PKCS#11 is - access objects on cryptographic tokens... why did you raise the OCSP and revocation stuff? But if you integrate Smart-Card functionality into the GPG framework, your application does not have to care about the smart-card at all. If your application uses PKCS11, it still has to do CRL-checking, certificate-validation and stuff like this. PKCS11 is on quite a low level, I would prefer to simply ask the GPG-agent, if a used certificate is stil valid (and GPG in turn might have a PKCS11 interface to actually access the smart card)... I think otherwise... In current gpg-agent design the smartcard access should be perform by it. I think current design is correct one... But I don't care... As long as a standard PKCS#11 API is used to access the smartcard... I will be happy. For sure, I have read much more about tokens and PKCS11 than you think. And even if you cannot believe it: It may well be that some people have different experiences and different opinions and these do not necessarily have to be wrong. There are more things than black and white... Again... I am sorry if I offended you. But I think there are two separate issues here that are some-how merge together. Decoding and verifying the PKIX/PGP/PKCS#* data, and accessing the cryptographic tokens. These are two separate issues... One the one hand I have your position that PKCS#11 is not enough... but you don't provide any replacement... for standard access to cryptographic token. On the other hand I have Werner position that states that only low level APDU access should be defined as low-level card interface, and every card should be tailored in order to work with gpg. This demonstrate the need of adopting a software standard for gpg for accessing smartcards... and PKCS#11 is the most suitable standard... I just want us to agree on that. Whether it is implemented or not is not an issue... I just wanted to understand why people are developing their own standards. Best Regards, Alon Bar-Lev. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Lost Private Key
How do i regain a lost private key? if i can't, how can i generate a revoke certificate for it? if i can't, can i delete it from the servers? what should i do? i need help! ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Signing MS-Excel spread sheets
Berend Tober wrote: I hate to admit that I still use MS-Excel rather than an open source spread sheet tool, but workplace requirements constrain my fate... Has anyone else managed a work-around for this flaw? (Aside from the obvious -- Stop using MS-Excel! -- because that is a failure I cannot control...) use openoffice.org: it is opensource and fully compatible with microsoft. now it is a failure you can control. see http://www.openoffice.org/dev_docs/instructions.html#win for how to install it. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Lost Private Key
Dan Mundy wrote: How do i regain a lost private key? if i can't, how can i generate a revoke certificate for it? if i can't, can i delete it from the servers? what should i do? i need help! nevermind... i found an old backed-up copy of my private key... sorry for the fuss. signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Lost Private Key
-BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 Dan Mundy wrote: Dan Mundy wrote: How do i regain a lost private key? if i can't, how can i generate a revoke certificate for it? if i can't, can i delete it from the servers? what should i do? i need help! nevermind... i found an old backed-up copy of my private key... sorry for the fuss. Generate a revocation certificate NOW and store it in a secure offline location, along with a backup of your key. - -- Alphax | /\ Encrypted Email Preferred | \ / ASCII Ribbon Campaign OpenPGP key ID: 0xF874C613 |X Against HTML email vCards http://tinyurl.com/cc9up| / \ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDGRoK/RxM5Ph0xhMRA2I0AJ9GK7avq28dAjyuDpdKb0mhBhOldQCgriy9 CBYTuINxYwo48WU1+2GpK9U= =MxOi -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Lost Private Key
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dan Mundy wrote: Dan Mundy wrote: How do i regain a lost private key? if i can't, how can i generate a revoke certificate for it? if i can't, can i delete it from the servers? what should i do? i need help! nevermind... i found an old backed-up copy of my private key... sorry for the fuss. Good deal. And you've generated that revocation cert and are storing it with the backup copy of the key? Oh, BTW... Make another backup copy of public private keys and that revocation cert -- and store them on different media, and b) in a different secure location. The answers to your questions wouldn't be very pleasing. How do regain the private key? You can't. There is no way to reconstruct a private key from the public key. Generate rev cert? You can't without the private key. Delete from keyservers? You can't. Servers are add-only. - -- John P. Clizbe Inet: John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. PGP/GPG KeyID: 0x608D2A10/0x18BB373A what's the key to success?/ two words: good decisions. what's the key to good decisions? / one word: experience. how do i get experience? / two words: bad decisions. Just how do the residents of Haiku, Hawai'i hold conversations? -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3-cvs-2005-08-29 (Windows 2000 SP4) Comment: When cryptography is outlawed, b25seSBvdXRsYXdzIHdpbGwgdXNlIG Comment: Be part of the £33t ECHELON -- Use Strong Encryption. Comment: It's YOUR right - for the time being. Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDGRcGHQSsSmCNKhARAiRIAKCEcZzUSWKrH+e548y+vX9UAuoXJQCcC4xZ q1WV+4Vgtb756ssb4CtSSr4= =rT+w -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Multiple signatures on a single file
-BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 Berend Tober wrote: Is it possible to have multiple persons sign a single file? If so, how is this done? The particular scenario is currently this: Employees submit expense reports for business travel using a spread sheet. Current practise is the the employee fills out spread sheet via computer (or optionally prints blank spread sheet template and writes by hand with a pen), physically signs using pen and ink, physically delivers signed hardcopy to supervisor for supervisor pen-and-ink signature prior to payment processing. Desired practise is to eliminate both producing hard copy and pen-and-ink signatures, and then re-work the process using gpg electronic signatures. Thus, employee would enter data into expense report spread sheet, save, gpg sign, mail to supervisor, supervisor would (presumably) open and review spread sheet, close without changing, gpg sign, and then return to employee or forward to accounting dept. Sounds straightforward, but I didn't spot in the various manuals/guides/how-to's for gnupg how a second individual could add their signature after me. Use detached signatures? Generate a key to sign the document with, and have that key signed by the supervisor? Just my 2c... - -- Alphax | /\ Encrypted Email Preferred | \ / ASCII Ribbon Campaign OpenPGP key ID: 0xF874C613 |X Against HTML email vCards http://tinyurl.com/cc9up| / \ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDGRke/RxM5Ph0xhMRA53ZAJ4jpjIAJ8nqCr/xgVBRbO1IUfK3PQCeMYTy I6huYlEG2z2zt1cc1pPqTNE= =6zNZ -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users