Re: Linux-gnupg and win-pgp
On Tue, Sep 06, 2005 at 01:53:18AM +0200, Stefan Fuhrmann wrote: > Am Dienstag, 6. September 2005 01:31 schrieb Lionel Elie Mamane: >> On Mon, Sep 05, 2005 at 11:26:40PM +0200, Stefan Fuhrmann wrote: >>> Im using kubuntu and so kmail with gnupg. >>> When I send an encrypted mail to win user who has pgp the encrypted mail >>> is attached. >>> 1.) Why this message is attached and pgp is not able to decrypt it? >>> I have to save it first and decrypt it then. >> Because you send is a PGP/MIME (RFC3156) message, which is the >> better and preferred way, but your correspondent's mail user agent >> (mail program) doesn't support PGP/MIME. > okay, most of the win users have outlookso what? So they suffer from a very limited feature set. ;-) >>> 2.) Is there a way to sent this mail so that win users have the mail in >>> the mail body and not as attachment? >> I dunno if KMail can do that. Look for a "old method" option or "plain >> text" option or something like that. > Cant find something like that. In the message composition window, in the toolbar, there is a choice list between "Inline OpenPGP", "OpenPGP/MIME" and a few others. Choose "Inline OpenPGP". >>> But when I do it some german characters are not displayed! >>> 3.) What is the reason for it? >> Because by then the information over which charset the text was in is >> lost. This is meta-information attached to the attachment, by saving >> it you "loose" it. > hmmm... I dont understand this: when I save the message the > information is lost?! Why? The filesystem doesn't have a "place" for this information. -- Lionel ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP Card
On Tue, Sep 06, 2005 at 03:14:56PM +1200, Peter Gutmann wrote: > Lionel Elie Mamane <[EMAIL PROTECTED]> writes: >>On Mon, Sep 05, 2005 at 10:14:41PM +0200, Alon Bar-Lev wrote: >>> Since your GPLed program does not contain any other licensed code it is >>> still GPLed... >>> The same goes with GPLed licensed program that loads PKCS#11 >>> module... >>Not unless that PKCS#11 module "is normally distributed with the major >>components of the operating system". (Assuming here that the PKCS#11 module >>would is a library that GnuPG would be dlopen.) > PKCS #11 is a device driver without which it's impossible to use > critical (to the application) hardware. If you take this > interpretation then GPG already violates it because it ends up using > all manner of components (RAID drivers, ATI/nVidia video drivers, > PC/SC drivers, etc) that aren't distributed as part of the OS. GnuPG doesn't *link* to RAID drivers or video drivers. They don't end up "running linked together in a shared address space". They communicate over syscalls or sockets; mechanisms that are well-known as to be "GPL-safe" (as long as the coupling between them isn't too tight). See http://www.fsf.org/licensing/licenses/gpl-faq.html#MereAggregation . On the other hand, some people interpret the GPL in a way saying that if a library implements a "standard" ABI, then one can link GPL software to it. I think it is a good idea to stick to the copyright holder's interpretation. > In fact if you wanted to go reductio ad absurdum even kernel32.dll > is excluded because the hotfixes that are constantly applied to it > aren't "normally distributed with the system components" - they're a > special download. Do I have to answer that? > On the other hand using a particular interpretation of the GPL in > order to make it impossible for GPG to be able to support widespread > smart cards and crypto hardware is a great example of cutting off > your nose to spite your face. That's a choice for the copyright holder to make. -- Lionel ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Linux-gnupg and win-pgp
Am Dienstag, 6. September 2005 01:31 schrieb Lionel Elie Mamane: > On Mon, Sep 05, 2005 at 11:26:40PM +0200, Stefan Fuhrmann wrote: > > Im using kubuntu and so kmail with gnupg. > > When I send an encrypted mail to win user who has pgp the encrypted mail > > is attached. > > 1.) Why this message is attached and pgp is not able to decrypt it? > > I have to save it first and decrypt it then. > > Because you send is a PGP/MIME (RFC3156) message, which is the better > and preferred way, but your correspondent's mail user agent (mail > program) doesn't support PGP/MIME. okay, most of the win users have outlookso what? > > > 2.) Is there a way to sent this mail so that win users have the mail in > > the mail body and not as attachment? > > I dunno if KMail can do that. Look for a "old method" option or "plain > text" option or something like that. Cant find something like that. > > > But when I do it some german characters are not displayed! > > 3.) What is the reason for it? > > Because by then the information over which charset the text was in is > lost. This is meta-information attached to the attachment, by saving > it you "loose" it. hmmm... I dont understand this: when I save the message the information is lost?! Why? And how can win-PGP users decrypt such messages? With a correct character set also? I tried a lot and search a lot but cant find a solution. maybe somone has an idea?? tia stefan pgpEUTjV7a0eA.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Transparent keyboards
First: Sure, with enough anything can be brute forced. But what happens when that "enough" isn't possible? Brute forcing (alone) 256-bit keys is a joke. It's just not a issue. Second: Being investigated by animal rights folk does *not* make you a terrorist. Now back to being on topic but still slightly off... I think a laptop you keep with you all the time is a pretty good shot. :) On 9/6/05, the dragon <[EMAIL PROTECTED]> wrote: > I suspect, with enough horsepower and resources, any encrytion can be > broken. > > I am sure, at one point, all encrytion was thought to be unbreakable. > > peace, > clark 'the dragon' willis > > > > PSA: Salary <> Slavery. If you earn a salary, your employer is renting your > services for 40 hours a week, not purchasing your soul. Your time is the > only real finite asset that you have, and once used it can never be > recovered, so don't waste it by giving it away. > > I work to live; I don't live to work. > > "Time is the coin of your life. It is the only coin you have, and only you > can determine how it will be spent. Be careful lest you let other people > spend it for you." > > Carl Sandburg > (1878 - 1967) > > Original Message Follows > > Jean-David Beyer wrote: > > >I imagine if the NSA really wanted to decrypt a gpg-encrypted message, > they > >have the resources to do it. It would probably take them a while if they > had > >to use brute force > > No, they can's do it by brute force. Look even at the power requirements > to do such a calculation: we're talking about an energy consumption that > is more that the entire sun will radiate during its entire lifetime. > I'm pretty sure that's beyond anything even the NSA can deploy. > > If they are able to decrypt pgp/gpg, it will be because they either broke > an algorithm or implementation of it, or they have obtained the key by > other means (keylogger, hidden camera, tempest, virus, torture). > > > > ___ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Linux-gnupg and win-pgp
On Mon, Sep 05, 2005 at 11:26:40PM +0200, Stefan Fuhrmann wrote: > Im using kubuntu and so kmail with gnupg. > When I send an encrypted mail to win user who has pgp the encrypted mail is > attached. > 1.) Why this message is attached and pgp is not able to decrypt it? > I have to save it first and decrypt it then. Because you send is a PGP/MIME (RFC3156) message, which is the better and preferred way, but your correspondent's mail user agent (mail program) doesn't support PGP/MIME. > 2.) Is there a way to sent this mail so that win users have the mail in the > mail body and not as attachment? I dunno if KMail can do that. Look for a "old method" option or "plain text" option or something like that. > But when I do it some german characters are not displayed! > 3.) What is the reason for it? Because by then the information over which charset the text was in is lost. This is meta-information attached to the attachment, by saving it you "loose" it. -- Lionel ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP Card
On Tue, Sep 06, 2005 at 12:59:48AM +0200, Alon Bar-Lev wrote: > Lionel Elie Mamane Wrote: >> Not unless that PKCS#11 module "is normally distributed with the >> major components of the operating system". (Assuming here that the >> PKCS#11 module would is a library that GnuPG would dlopen.) > So how come GPGed application can use display driver that is vendor > provided? The application does not link to the display driver. On Microsoft Windows, the display driver is part of the kernel, and AFAIK applications communicate with the kernel through syscalls (eventually wrapped by gdi32.dll, kernel32.dll, etc), not linkage. On a Unix system, the program communicates with the "display" through the networking layer, so there is also absolutely no linkage. But there is indeed a case to be made that if the library implements a well-known, standard ABI, then linking to it is not a GPL violation. Legally it depends whether the linked program is a "derived work" from the program or not. > And how come GPGed application can print on a printer using a > proprietary driver from HP (for example)? On a Unix system, again, programs don't link with a printer driver. They exec() lpr over a pipe and dump postscript to it over the pipe. Just a matter of passing data around to another process, no library linkage. > I can show you that it GPLed program loads these drivers... Yes, show me, I'm curious. -- Lionel ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Certification-only key
On Mon, Sep 05, 2005 at 04:46:46PM -0400, David Shaw wrote: > On Mon, Sep 05, 2005 at 09:35:50PM +0200, Lionel Elie Mamane wrote: >> On Mon, Sep 05, 2005 at 01:46:07PM -0400, David Shaw wrote: >>> It's not necessarily a good idea though: some people before agreeing >>> to sign a key will ask for a signed message to prove that you "own" >>> the secret portion of the key they are about to sign. >> I would obviously have at least one data-signing subkey. I presume >> these people would take a signature from such as subkey. Or >> decryption of a nonce they sent me encrypted to an encryption >> subkey. > They might, but really shouldn't (I wouldn't). When you make a > certification signature on someone elses key, you're signing the > primary key plus the user ID in question. There is no benefit in > receiving a signed challenge from any key other than the primary. But that subkey is attached to the primary key by a signature of the primary key. Isn't then control of that subkey enough to "prove" control of the primary key? Unless: 1) Signature scheme cryptographically broken. We have a bigger problem. 2) Primary key owner has done stupid things, like sharing subkeys with others. But if we assume he has done that, we might as well assume he would sign the challenge a man-in-the-middle attacker has forwarded him or shared his primary key or ... Where's the flaw in the reasoning? >> You could argue I could have this without marking the key as >> certificate-only, by never issuing data signatures with the primary >> key. That's harder on me. I have to be more cautious. Over the course >> of twenty years, I *will* screw up. > GnuPG actually makes it hard for you to screw up here. If there is > a subkey that can sign, GnuPG will use it rather than the primary. > The only way to get a signature (as opposed to a key certification) > from the primary is to specify its key ID explicitly with an > exclamation point. Ah. Good. I just hope mutt doesn't pass the KeyID with an exclamation point. Should check that. -- Lionel ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
linux-gpg and win-pgp
Hello all, Im using kubuntu and so kmail with gnupg. When I send an encrypted mail to win user who has pgp the encrypted mail is attached. 1.) Why this message is attached and pgp is not able to decrypt it? I have to save it first and decrypt it then. 2.) Is there a way to sent this mail so that win users have the mail in the mail body and not as attachment? But when I do it some german characters are not displayed! 3.) What is the reason for it? The character set under my linux is okay! When I use win-pgp with this characters öäü and so on all is okay also under my linux , only when I send the mail from my linux to a win and trying to decrypt with pgp I have the problems with pgp and the characters. 4.) How can I solve this? Can someone help? tia stefan ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Linux-gnupg and win-pgp
Hello all, Im using kubuntu and so kmail with gnupg. When I send an encrypted mail to win user who has pgp the encrypted mail is attached. 1.) Why this message is attached and pgp is not able to decrypt it? I have to save it first and decrypt it then. 2.) Is there a way to sent this mail so that win users have the mail in the mail body and not as attachment? But when I do it some german characters are not displayed! 3.) What is the reason for it? The character set under my linux is okay! When I use win-pgp with this characters öäü and so on all is okay also under my linux , only when I send the mail from my linux to a win and trying to decrypt with pgp I have the problems with pgp and the characters. 4.) How can I solve this? Can someone help? tia stefan pgpDmBFF5bxvz.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
RE: OpenPGP Card
Joe Smith wrote: > *PKCS#11 has nothing at all to do with smartcards.* The fact that many propretary card drivers export a PKCS #11 interface > is mearly coincedence. PKCS#11 and Microsoft cryptographic providers are the two APIs available for accessing cryptographic tokens. Every application that wishes to use services of vendor in depended cryptographic tokens uses one of these APIs. So vendors that developing smartcard provide these interfaces so their card will be usable. Enterprises (which are the larger clients) will not but a smartcard that does not support PKCS#11. > One of the larger reasons why Werner is probably reluctant to support > PKCS#11 in GPG is that X509 (which pkcs#11 is almost always used with) does not interface well with OpenPGP. It makes beteter sense to > have a separate X509 key, rather than use your key for both X509 and OpenPGP. For example, your CA can revoke your key leaving you > with one key that is invalid X.509, but valid OpenPGP? Yuck! I think you got revocation wrong... Revocation is letting OTHERS know that a key should not be trusted... There is nothing wrong in leaving the private key in the smartcard. Regardless this point PKCS#11 token can be organized that the same X.509 and PGP certificates will refer to the same private key, so if that private key is deleted both certificate will be unusable. > Werner designed the OpenPGP Card such that the interface works well with OpenPGP. OpenPGP cards are intended to be used for > authentication and OpenPGP only. They are not designed for things such as SSL, SSH, TLS, S/MIME , or any other cryptographic purpose. > It is important to ensure that people do not confuse X.509 and OpenPGP, but implementing PKCS#11 in gpg may blur things too much. But each user should have one smartcard... It is not logical to force user to keep several cards in his wallet in order to use several applications. One smartcard can be used to have tree types of identities: Authentication, Signature (Email and data), Decryption (Email and data). There is no reason to divide these into several physical containers. Users will simply select a different software which can access the same card as other software... Application that forces users to use a specific exclusive card will slowly vanish. > Besides it is hard enough to support just one card, imagine the problems that could arise if people started using cards with broken PKCS#11 > drivers, and asssumed the problem was in gpg. But this is exactly the point! You should not develop low-level code to access each card's processor in order to add the ability to work with smartcards, resulting in N separate implementations. You can benefit from the PKCS#11 high-level API in order to access cryptographic tokens (Smartcards, HSM, software). PKCS#11 is a standard that most vendors support, I can agree that if vendor did not implement the standard correctly, its token will not work with applications. For example, Mozilla Firefox will not work with some of the smartcards out there... And I have no claims to Mozilla, they have done a great job! Best Regards, Alon Bar-Lev. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
RE: OpenPGP Card
Lionel Elie Mamane Wrote: > Not unless that PKCS#11 module "is normally distributed with the major components of the operating system". > (Assuming here that the PKCS#11 module would is a library that GnuPG would be dlopen.) So how come GPGed application can use display driver that is vendor provided? I use ATI drivers... And I have a lot of GPLed programs on my computer... And how come GPGed application can print on a printer using a proprietary driver from HP (for example)? I can show you that it GPLed program loads these drivers... The same goes to PKCS#11, it is a driver to access the smart card... It is just like any other peripheral component you use, it is part of the run-time environment, so that the user may choose which device should be used, without the software author forcing him to use a specific device. Open source if about freedom... Right? So there is also the freedom of the user to choose his peripheral devices, including smartcards. Best Regards, Alon Bar-Lev. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP Card
"Zeljko Vrba" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] IMHO, PKCS#11 has succeeded where ISO7816 has failed: providing a (relatively) simple way to interface with many smart-card implementations, many of which aren't ISO7816-compliant above level 3 - they even don't support basic interindustry commands, but provide their own proprietary and undocumented command set PKCS#11 is a crypto token enchange system ISO7816 is a specification for a card interface. They are 100% unrelated. Perhaps you meant the abondoned PKCS#13 which is what many cards use. *PKCS#11 has nothing at all to do with smartcards.* The fact that many propretary card drivers export a PKCS #11 interface is mearly coincedence. That said, I think allowing a pkcs #11 interface as well as OpenPGP Card interface is useful in its own right. Doesn't gpgsm support PKCS#11? One of the larger reasons why Werner is probably reluctant to support PKCS#11 in GPG is that X509 (which pkcs#11 is almost always used with) does not interface well with OpenPGP. It makes beteter sense to have a seperate X509 key, rather than use your key for both X509 and OpenPGP. For example, your CA can revoke your key leaving you with one key that is invalid X.509, but valid OpenPGP? Yuck! Werner designed the OpenPGP Card such that the interface works well with OpenPGP. OpenPGP cards are intended to be used for authentication and OpenPGP only. They are not designed for things such as SSL, SSH, TLS, S/MIME , or any other cyrptographic purpose. It is important to ensure that people do not confuse X.509 and OpenPGP, but implementing PKCS#11 in gpg may blur things too much. Besides it is hard enough to support just one card, imagine the problems that could arise if people started using cards with broken PKCS#11 drivers, and asssumed the problem was in gpg. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Certification-only key
On Mon, Sep 05, 2005 at 09:35:50PM +0200, Lionel Elie Mamane wrote:
> On Mon, Sep 05, 2005 at 01:46:07PM -0400, David Shaw wrote:
> > On Mon, Sep 05, 2005 at 04:41:40PM +0200, Lionel Elie Mamane wrote:
>
> >> I tried to generate an RSAv4 certification-only key with GnuPG, but
> >> failed, even in "expert mode".
>
> >> Is this impossible with GnuPG? Is it a bad idea? Why? Do I
> >> misunderstand the RFC?
>
> > It's not impossible - 1.4.3 (not released yet) supports certify-only
> > keys like you want.
>
> OK, thanks.
>
> > It's not necessarily a good idea though: some people before agreeing
> > to sign a key will ask for a signed message to prove that you "own"
> > the secret portion of the key they are about to sign.
>
> I would obviously have at least one data-signing subkey. I presume
> these people would take a signature from such as subkey. Or decryption
> of a nonce they sent me encrypted to an encryption subkey.
They might, but really shouldn't (I wouldn't). When you make a
certification signature on someone elses key, you're signing the
primary key plus the user ID in question. There is no benefit in
receiving a signed challenge from any key other than the primary.
For the same reason, encryption challenges ("can you decrypt this?")
aren't usually meaningful in OpenPGP (PGP 5+, GnuPG). Since the
object being signed is the primary key, that's the key you want to
establish ownership of. The huge majority of primary keys in the
world today don't or can't encrypt.
> You could argue I could have this without marking the key as
> certificate-only, by never issuing data signatures with the primary
> key. That's harder on me. I have to be more cautious. Over the course
> of twenty years, I *will* screw up.
GnuPG actually makes it hard for you to screw up here. If there is a
subkey that can sign, GnuPG will use it rather than the primary. The
only way to get a signature (as opposed to a key certification) from
the primary is to specify its key ID explicitly with an exclamation
point.
Some people keep their primary key offline and do their regular day to
day signing and encryption with subkeys. In that case, it's not
possible to screw up: even if you override the default by specifying
the key ID and an exclamation point, the actual key isn't there to
use.
> Now, I'm starting to wonder if I can retroactively change the
> capabilities of the key. I just have to reissue the self-signature on
> the UserIDs, right? (Yes, I'd have to hack GnuPG to allow me to change
> the key flags.)
Yes. Obviously you can't do things like turn a DSA key into an
encryption key, but you can certainly twiddle an RSA key into whatever
you like.
David
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP Card
On Mon, Sep 05, 2005 at 10:14:41PM +0200, Alon Bar-Lev wrote: > Zeljko Vrba wrote: >> Neither do I understand that. Werner didn't give a single plausible >> argument except possibly of license incompatibility. But in my >> understanding, just incorporating PKCS#11 support into GnuPG would >> NOT cause license incompatibility. It would happen at run-time if >> the user chooses to load GPL-incompatible binary PKCS#11 driver >> (which most of them are). > Right... This argument was given to me also... > But I could not find any justification for it... > Let's say you use GPLed licensed program on windows... It loads > kernel32.dll, right? kernel32.dll falls under the following language in the GPL: However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable. > Since your GPLed program does not contain any other licensed code it is > still GPLed... > The same goes with GPLed licensed program that loads PKCS#11 > module... Not unless that PKCS#11 module "is normally distributed with the major components of the operating system". (Assuming here that the PKCS#11 module would is a library that GnuPG would be dlopen.) -- Lionel ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Signing MS-Excel spread sheets
On Mon, Sep 05, 2005 at 08:07:13AM -0400, Berend Tober wrote: > Kimmo Surakka wrote: > > >Just my two cents worth: isn't it true that most Windows zippers can > >open a file "from inside a zip archive", i.e. uncompress it > >transparently to a temp directory and open from there? One easy-to- > >use solution could therefore be to store the Excel file inside a zip > >archive, and then sign that archive? When the second person opens the > >spreadsheet, all the changes Excel wants to do are done to the > >temporary copy -- not the actual spreadsheet itself. > > The sounds like it would work, but I don't like the idea of imposing the > extra layer of the separate zip application like this between the > document and the signing step -- although it could be the approach we > have to take if we bring this to the next level and scan the supporting > documents (i.e., receipts) to jpeg files for inclusion along with the > spread sheet -- which would be pretty cool. However, I still have the > issue being discussed in a separate-but-related thread concerning > co-signatures. Another option with zip-archives, if you put the signed .xls and the signatures in the zip you should get the nonmodifiable effect and keep the signatures "attached" to the file. With luck there is some way to ask the zip program to execute your sctrip... //Samuel ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
RE: OpenPGP Card
Peter Pentchev wrote: > Hate to jump into this discussion, but isn't this *exactly* why Werner always keeps mentioning *shared* libraries? :) Why hate? Can you please elaborate? I don' t understand what you mean... Best Regards, Alon Bar-Lev. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Certification-only key
On Mon, Sep 05, 2005 at 01:46:07PM -0400, David Shaw wrote: > On Mon, Sep 05, 2005 at 04:41:40PM +0200, Lionel Elie Mamane wrote: >> I tried to generate an RSAv4 certification-only key with GnuPG, but >> failed, even in "expert mode". >> Is this impossible with GnuPG? Is it a bad idea? Why? Do I >> misunderstand the RFC? > It's not impossible - 1.4.3 (not released yet) supports certify-only > keys like you want. OK, thanks. > It's not necessarily a good idea though: some people before agreeing > to sign a key will ask for a signed message to prove that you "own" > the secret portion of the key they are about to sign. I would obviously have at least one data-signing subkey. I presume these people would take a signature from such as subkey. Or decryption of a nonce they sent me encrypted to an encryption subkey. > Why do you want such a key? First, separation of roles. Doesn't hurt. More importantly, my wishes on the primary key and on data signature keys are different. The primary key is my electronic identity; it should be humongous. If it can hold secure for all my life, then I want it to. My data signatures, on the other hand, for most of them, a week of security is enough (but sometimes a few years is nice). Paying the cost of big signature size is less worth it, at least until computers again get too fast or factorisation becomes easier or ... Maybe I even *want* them to fade away into fakability over time. Who knows what I will be in twenty years? I may be so unlucky as to be a politician then. I wouldn't want some of my teenage opinions or acts to haunt me back, would I? You could argue I could have this without marking the key as certificate-only, by never issuing data signatures with the primary key. That's harder on me. I have to be more cautious. Over the course of twenty years, I *will* screw up. Now, I'm starting to wonder if I can retroactively change the capabilities of the key. I just have to reissue the self-signature on the UserIDs, right? (Yes, I'd have to hack GnuPG to allow me to change the key flags.) -- Lionel ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP Card
On Mon, Sep 05, 2005 at 10:14:41PM +0200, Alon Bar-Lev wrote: > Zeljko Vrba wrote: > > Alon Bar-Lev wrote: > >> > >> I agree... So if we all understand the need of PKCS#11 in order to > >> access cryptographic tokens, what I don't understand is how come > >> people choose to develop low-level applications in order to work with > specific devices? > >> > > Neither do I understand that. Werner didn't give a single plausible > argument except possibly of license incompatibility. But in my > understanding, > > just incorporating PKCS#11 support into GnuPG would NOT cause license > incompatibility. It would happen at run-time if the user chooses to > > load GPL-incompatible binary PKCS#11 driver (which most of them are). > > Right... This argument was given to me also... > But I could not find any justification for it... > Let's say you use GPLed licensed program on windows... It loads > kernel32.dll, right? > Since your GPLed program does not contain any other licensed code it is > still GPLed... > The same goes with GPLed licensed program that loads PKCS#11 module... Hate to jump into this discussion, but isn't this *exactly* why Werner always keeps mentioning *shared* libraries? :) G'luck, Peter -- Peter Pentchev [EMAIL PROTECTED][EMAIL PROTECTED][EMAIL PROTECTED] PGP key:http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 This sentence was in the past tense. pgpM5iAic7Epg.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
RE: OpenPGP Card
Zeljko Vrba wrote: > Alon Bar-Lev wrote: >> >> I agree... So if we all understand the need of PKCS#11 in order to >> access cryptographic tokens, what I don't understand is how come >> people choose to develop low-level applications in order to work with specific devices? >> > Neither do I understand that. Werner didn't give a single plausible argument except possibly of license incompatibility. But in my understanding, > just incorporating PKCS#11 support into GnuPG would NOT cause license incompatibility. It would happen at run-time if the user chooses to > load GPL-incompatible binary PKCS#11 driver (which most of them are). Right... This argument was given to me also... But I could not find any justification for it... Let's say you use GPLed licensed program on windows... It loads kernel32.dll, right? Since your GPLed program does not contain any other licensed code it is still GPLed... The same goes with GPLed licensed program that loads PKCS#11 module... I think it is the same as gpg works with vendor's X card... The card runs an operating system that is not GPLed... And yet... gpg is GPL... Moreover, I've found that opensc and PAM PKCS11 are LGPL and that openCryptoki (http://sourceforge.net/projects/opencryptoki) is GPL. So... I think licensing should not be an issue... Best Regards, Alon Bar-Lev. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP Card
Alon Bar-Lev wrote: I agree... So if we all understand the need of PKCS#11 in order to access cryptographic tokens, what I don't understand is how come people choose to develop low-level applications in order to work with specific devices? Neither do I understand that. Werner didn't give a single plausible argument except possibly of license incompatibility. But in my understanding, just incorporating PKCS#11 support into GnuPG would NOT cause license incompatibility. It would happen at run-time if the user chooses to load GPL-incompatible binary PKCS#11 driver (which most of them are). signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
RE: OpenPGP Card
Peter wrote: > Zeljko Vrba <[EMAIL PROTECTED]> writes: >> Yes, these devices are expensive for individuals. > Although they're less expensive on ebay :-). Keep an eye on that long enough and you'll find almost > anything turning up, for example there's almost always some Spyrus Lynks cards on sale by someone. > Some of the stuff even has previous CA's keys still in the HW. >> PKCS#11 is not limited to smart-cards. > Yup, and that's an important point. If you want big-iron style crypto HW support, your choice is > either PKCS #11, CryptoAPI, or a per-hardware-device custom API. I know which one I'd want... I agree... So if we all understand the need of PKCS#11 in order to access cryptographic tokens, what I don't understand is how come people choose to develop low-level applications in order to work with specific devices? Best Regards, Alon Bar-Lev. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
RE: Multiple signing - is this a common desire? (was Re: Signing MS-Excel spread sheets)
Well, i do not know about files, but our product signs mails using multiple-signatures (at least two signatures are required before a mail leaves the system). So i think it is NOT a bad feature. Regards, Sascha > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Kurt Fitzner > Sent: Montag, 5. September 2005 01:21 > To: gnupg-users@gnupg.org > Subject: Multiple signing - is this a common desire? (was Re: > Signing MS-Excel spread sheets) > > > > Berend Tober wrote: > > > Anyway, I've looked at WinPT and GPGee and one other GUI wrapper > > around gnupg, but they all of course are victims of this MS Excel > > "feature", and furthermore none of them satisfy my other need to be > > able to support multiple persons signing any given document > > > When I started with GPGee I debated the idea of handling > multiple-signatures. I decided not to deal with the added > complexity because I didn't think it was a much called-for feature. > > If this is something that people would want to do more often > in the real world, I'll happily add this feature. > > I can even drop in something like "Set target file read-only > after operation" - well, if I can figure out a shorter > description to use for it. > > Anyway, is multiple-key signing more common than I gave it credit for? > > Kurt. > > ___ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Certification-only key
On Mon, Sep 05, 2005 at 04:41:40PM +0200, Lionel Elie Mamane wrote: > Hi, > > I tried to generate an RSAv4 certification-only key with GnuPG, but > failed, even in "expert mode". > > What I mean is a primary key that can be used to attach a subkey to > it, or _maybe_ also to sign UserIDs of other keys (for the Web of > Trust). But not for data signatures. As I understand the RFC, I want a > primary key with key flags 0x01 (or maybe even 0x00?). It would be 0x01. 0x00 is not meaningful in PGP since that would mean "key with no capabilities". The standard requires that all primary keys must be able to certify. Even if the 0x01 bit is not set by the user, primary keys can certify. > But GnuPG only presents me with three "bits" to flip: > > - signature, which seems to set key flag 0x03 > - encryption, which seems to set key flag 0x0C > - authentication, which seems to set flag 0x21 > > I tried turning all three bits off, but then the key doesn't have a > key flags subpacket (packet 27) at all and seems to be treated by > GnuPG as a "everything is allowed" key. > > Is this impossible with GnuPG? Is it a bad idea? Why? Do I > misunderstand the RFC? It's not impossible - 1.4.3 (not released yet) supports certify-only keys like you want. It's not necessarily a good idea though: some people before agreeing to sign a key will ask for a signed message to prove that you "own" the secret portion of the key they are about to sign. Without the ability to sign, such a signature is hard to generate. Why do you want such a key? David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP Card
Alon Bar-Lev wrote: Zeljko wrote: IMHO, PKCS#11 has succeeded where ISO7816 has failed: providing a (relatively) simple way to interface with many smart-card implementations, And I've forgot to mention one thing that may be important to some people: PKCS#11 is not limited to smart-cards. If GPG were to support it, it could be used with top-grade crypto modules (providing physical security and self-destruct on tampering) such as Thales WebSentry or nCipher. And for these things there is *no* universal standard except for PKCS#11 and MS CAPI. From experience I know that Thales was delivering RG732 crypto modules with their own development kit, and they've switched to PKCS#11 + MS CAPI in their new products (i.e. WebSentry). Yes, these devices are expensive for individuals. But if company already does own (for some) reason one of these, maybe they would also like to use it for e.g. storing a company "master key" that signs employees' keys. That's just one use-case example. signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Transparent keyboards
I suspect, with enough horsepower and resources, any encrytion can be broken. I am sure, at one point, all encrytion was thought to be unbreakable. peace, clark 'the dragon' willis PSA: Salary <> Slavery. If you earn a salary, your employer is renting your services for 40 hours a week, not purchasing your soul. Your time is the only real finite asset that you have, and once used it can never be recovered, so don't waste it by giving it away. I work to live; I don't live to work. "Time is the coin of your life. It is the only coin you have, and only you can determine how it will be spent. Be careful lest you let other people spend it for you." Carl Sandburg (1878 - 1967) Original Message Follows Jean-David Beyer wrote: >I imagine if the NSA really wanted to decrypt a gpg-encrypted message, they >have the resources to do it. It would probably take them a while if they had >to use brute force No, they can's do it by brute force. Look even at the power requirements to do such a calculation: we're talking about an energy consumption that is more that the entire sun will radiate during its entire lifetime. I'm pretty sure that's beyond anything even the NSA can deploy. If they are able to decrypt pgp/gpg, it will be because they either broke an algorithm or implementation of it, or they have obtained the key by other means (keylogger, hidden camera, tempest, virus, torture). ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Transparent keyboards
Jean-David Beyer wrote: >I imagine if the NSA really wanted to decrypt a gpg-encrypted message, they >have the resources to do it. It would probably take them a while if they had >to use brute force No, they can's do it by brute force. Look even at the power requirements to do such a calculation: we're talking about an energy consumption that is more that the entire sun will radiate during its entire lifetime. I'm pretty sure that's beyond anything even the NSA can deploy. If they are able to decrypt pgp/gpg, it will be because they either broke an algorithm or implementation of it, or they have obtained the key by other means (keylogger, hidden camera, tempest, virus, torture). -- ir. J.C.A. Wevers // Physics and science fiction site: [EMAIL PROTECTED] // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
RE: OpenPGP Card
>> I won't agree to this because there is at least one large company in >> Germany using Smartcards along with gpgsm. > Well OK, so there's always exceptions, but I don't think there's enough to drive significant > demand for this - all the commercial users I've seen who want smart cards/PKCS #11/whatever want > to use it with standard commercial software and, you know, that stuff with the 'X' and some > digits in it :-). I think that many enterprises are looking first for open source solutions... If they find one that is suitable, they don't buy commercial product. The problem is that the open source community does not always understand which standard to support, and many, like gpg, inventing their own... Best Regards, Alon Bar-Lev. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
RE: OpenPGP Card
Peter wrote: >>Oh, that's the old Aladdin stuff. Well, they've certainly come a >>*long* way since I last looked at them - in the 1999-2000 time frame >>they had the worst PKCS #11 driver I've ever seen, and their "support" >>consisted of telling you to buy more copies of their $700 SDK to see >>whether they'd fixed any of the bugs in the version you already had. > Argh, sorry, wrong driver, it's the ActivCard drivers (and support) that were that bad, not Aladdin. > Aladdin (and by extension ASECard and Athena Cards, and eTokens as well) work just fine. Just to > repeat that: Nothing wrong with Aladdin's PKCS #11. I am glad you corrected your-self... ActivCard did not implement a good CSP/PKCS#11 on Windows too... :( Athena and Aladdin produce good support software... I am using their cards and I am very happy... Athena support Linux well... And even share the same cards between Windows CSP/PKCS#11 and Linux PKCS#11!!! Best Regards, Alon Bar-Lev ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
RE: OpenPGP Card
Zeljko wrote: >> >> I would have help merging it if I knew that there is a chance to merge >> it into to gpg source. >> > Judging by the discussion on this list.. it seems that there is no chance for that :( > Look in the archives of gnupg lists, IIRC it is around November 2004, for threads started by me. I was quickly discouraged by Werner and > nowhere as persistent as you in trying to persuade him into the usefulness of PKCS#11. Yes... I agree... I gave up... Tried to help... And failed. > IMHO, PKCS#11 has succeeded where ISO7816 has failed: providing a > (relatively) simple way to interface with many smart-card implementations, many of which aren't ISO7816-compliant above level 3 - they even don't > support basic interindustry commands, but provide their own proprietary and undocumented command set. I agree! > Personally, I think that applications not supporting PKCS#11 and/or MS CAPI will become extinct much before than non-compliant ISO7816 cards. > These two have become the de-facto industry standards. I'm no fortune teller, so time will prove me right or wrong :) This is exactly my claim... I've tried to introduce this argument to Werner... But without any success... I was out of new arguments when I gave up... I think that an open source project that does not support software interaction standards will be replaced by a different solution when the time comes. Best Regards, Alon Bar-Lev. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP Card
Alon Bar-Lev wrote: I use Athena smartcard www.athena-scs.com which works perfectly in term of Linux and PKCS#11. I enjoy using it with Java JCE, Mozilla, Tunderbird, PAM_PKCS11, I've encrypted my disk using aes-loop and then required gpg to support PKCS#11... And here we are... Great! When I was developing my patch, I had only Cryptoflex 8k cards available (still have a few of them, but not at my current geographical location :)). This is great work! > Thanks. > But the work needs to be moved into gpg-agent... :( Probably not too difficult, but still time-consuming to understand the existing code.. and that would probably be wasted time, unless you want to make a life-time commitment to keep the patch in pace with gpg development. > I would have help merging it if I knew that there is a chance to merge it into to gpg source. Judging by the discussion on this list.. it seems that there is no chance for that :( Look in the archives of gnupg lists, IIRC it is around November 2004, for threads started by me. I was quickly discouraged by Werner and nowhere as persistent as you in trying to persuade him into the usefulness of PKCS#11. IMHO, PKCS#11 has succeeded where ISO7816 has failed: providing a (relatively) simple way to interface with many smart-card implementations, many of which aren't ISO7816-compliant above level 3 - they even don't support basic interindustry commands, but provide their own proprietary and undocumented command set. Personally, I think that applications not supporting PKCS#11 and/or MS CAPI will become extinct much before than non-compliant ISO7816 cards. These two have become the de-facto industry standards. I'm no fortune teller, so time will prove me right or wrong :) signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
RE: OpenPGP Card
Hello, >That's correct, it was my proposal in question. The problem is that, under Linux, I couldn't find a smart-card + PKCS#11 > combination that works correctly enough (out of the box) to be usable with cryptlib. I use Athena smartcard www.athena-scs.com which works perfectly in term of Linux and PKCS#11. I enjoy using it with Java JCE, Mozilla, Tunderbird, PAM_PKCS11, I've encrypted my disk using aes-loop and then required gpg to support PKCS#11... And here we are... > Patch that enables the use of any smart-card with GnuPG. It allows the use of cards with pregenerated keys and uses an auxiliray file to > feed metadata into GnuPG (I'm assuming a read-only token). Signing works correctly. > http://www.core-dump.com.hr/software/gnupg-1.3.92-pkcs11.patch > http://www.core-dump.com.hr/software/gnupg-1.3.92-pkcs11.patch.asc > There is a g10/p11howto.txt describing how to use it. I've given up on maintaining it because of Werner's attitude towards PKCS#11. > If someone else wants to maintain it - be welcome. I will provide you some help if neccessary. This is great work! But the work needs to be moved into gpg-agent... :( I would have help merging it if I knew that there is a chance to merge it into to gpg source. Best Regards, Alon Bar-Lev. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Certification-only key
Hi, I tried to generate an RSAv4 certification-only key with GnuPG, but failed, even in "expert mode". What I mean is a primary key that can be used to attach a subkey to it, or _maybe_ also to sign UserIDs of other keys (for the Web of Trust). But not for data signatures. As I understand the RFC, I want a primary key with key flags 0x01 (or maybe even 0x00?). But GnuPG only presents me with three "bits" to flip: - signature, which seems to set key flag 0x03 - encryption, which seems to set key flag 0x0C - authentication, which seems to set flag 0x21 I tried turning all three bits off, but then the key doesn't have a key flags subpacket (packet 27) at all and seems to be treated by GnuPG as a "everything is allowed" key. Is this impossible with GnuPG? Is it a bad idea? Why? Do I misunderstand the RFC? Thanks for your explanations, -- Lionel signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
RE: OpenPGP Card
>>The conclusion of my discussion with people here is that the need of >>using >>PKCS#11 for accessing various smartcards is not clear. I've tried to >>highlight the advantages of using standard software API to access >>external devices, but I've failed. >Users of crypto tokens tend to fall into two classes, hobbyists/enthusiasts (who don't mind hacking their > own glue code, so PKCS #11 isn't too important), and commercial/business users (who really need > PKCS #11 but who probably wouldn't use GPG). The result is, as you've found, something of a lack > of a market for PKCS #11 combined with GPG. I agree... But I was still amazed... If you read the PKCS#11 corresponding you will notice that there is a remote possibility to agree the usage of PKCS#11 in a way that gpg will be the provider... So that other applications can use gpg keys... This was really strange. The whole idea is to separate between application logic (gpg) and device access (Smartcards, HSM)... Best Regards, Alon Bar-Lev. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
new (2005-09-04) keyanalyze results (+sigcheck)
New keyanalyze results are available at: http://keyserver.kjsl.com/~jharris/ka/2005-09-04/ Signatures are now being checked using keyanalyze+sigcheck: http://dtype.org/~aaronl/ Earlier reports are also available, for comparison: http://keyserver.kjsl.com/~jharris/ka/ Even earlier monthly reports are at: http://dtype.org/keyanalyze/ SHA-1 hashes and sizes for all the "permanent" files: 252e0f13e55a2ca2ca32886f211e7471d08afce612916224preprocess.keys cb882ca6570486e9f20879accc1e4d3dab1022387871329 othersets.txt 890e81a284d0087c6587feb3e1c7ca046b4bda793190186 msd-sorted.txt a751f9d5477744a4f5e5ce6ebad6a60908e317ee1372index.html 56433a9a8c1aa573893f03c5c6a2c0282aa9bb4c2291keyring_stats 26c3982c68658092c19c210abec94fe0351e98b01253289 msd-sorted.txt.bz2 fdd2a5d063a4817b86f6a595441ff23ce24cb32126 other.txt e5737d65e99fb365b6ce180b6dffc39c062d4e021697277 othersets.txt.bz2 d9774ab70de75e25ff27ab89eb745f3725996c7a5219110 preprocess.keys.bz2 df084c3d93601c1669975012110398ec6c34a0bf13046 status.txt 740907630c1b3c8882c93d6987a549ea74be87bd210121 top1000table.html 8447fc107e1c02788ee5bed7143a13aa608c97d530191 top1000table.html.gz 483d02289f157c12fd4a00a8fa6722a20785bf2a10785 top50table.html 56ac06d6254b663d9ed114144f621cf53c8ea65c2534D3/D39DA0E3 -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? [EMAIL PROTECTED] _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 pgpCCXMRnUQvb.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP Card
On Tue, 06 Sep 2005 01:23:51 +1200, Peter Gutmann said: > and commercial/business users (who really need PKCS #11 but who probably > wouldn't use GPG). The result is, as you've found, something of a lack of a I won't agree to this because there is at least one large company in Germany using Smartcards along with gpgsm. Salam-Shalom, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGG Card
Peter Gutmann wrote: I'd already offered the use of my PKCS #11 interface code from cryptlib for GPG use some time ago. This should do everything you need and has had years of tuning to work with all the bugs in various PKCS #11 drivers, it's vastly easier than going through the entire learning curve yourself. That's correct, it was my proposal in question. The problem is that, under Linux, I couldn't find a smart-card + PKCS#11 combination that works correctly enough (out of the box) to be usable with cryptlib. GPG needs at three different keys and static data storage. I have a patch emulating static data storage, enabling the use of pre-generated keys. I don't remember exactly all the details, but I did disregard cryptlib for some reason (not because of its quality which is superb, but because of the state of.. smart-card and PKCS#11 issues on Linux). For interested parties in this thread: OpenPGP Java card applet (almost finished): http://www.core-dump.com.hr/index.pl?node_id=421 Patch that enables the use of any smart-card with GnuPG. It allows the use of cards with pregenerated keys and uses an auxiliray file to feed metadata into GnuPG (I'm assuming a read-only token). Signing works correctly. http://www.core-dump.com.hr/software/gnupg-1.3.92-pkcs11.patch http://www.core-dump.com.hr/software/gnupg-1.3.92-pkcs11.patch.asc There is a g10/p11howto.txt describing how to use it. I've given up on maintaining it because of Werner's attitude towards PKCS#11. If someone else wants to maintain it - be welcome. I will provide you some help if neccessary. signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: PKCS#11 support for gpg-agent
On Mon, 5 Sep 2005 08:35:15 +0100 (BST), Nicholas Cole said: > gpg-1.9, and the thinking behind adding support for > s/mime. What is the "roadmap" (from the point of view > of users) for gpg? * The most important task is to integrate gpg 1.4 code base into gpg 1.9. I did this a long time ago but in the meantime e changed a lot of stuff in 1.4. so that if needs to be done again. * The format of the keyrings will be switched to a newer one (KBX). This should really help with larger keyrings and provides some other goodies. * Release 2.0 > Is there any sense in which opengpg is, or may be > soon, a deprecated standard? NO. We all like OpenPGP far more than S/MIME. > Beyond the pros and cons of centralised CAs, what are > the advantages of the two? To match the structure of the organisation. OpenPGP allows for all kinds of PKIs; whereas X.509 requires a hierarchical one. Salam-Shalom, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGG Card
On Mon, 05 Sep 2005 15:07:22 +1200, Peter Gutmann said: > I'd already offered the use of my PKCS #11 interface code from cryptlib for > GPG use some time ago. This should do everything you need and has had years Thanks. That would indeed help to write a pkcs#11 implementation to connect Mozilla et al with gpg-agent/scdaemon. Regarding use of pkcs#11 below scdaemon: This might be possible by writing an app-p11 module. However, I still doubt that it makes much sense. Tweaking app-p15 for the existing cards seems to be a cleaner way to me. BTW, I just committed support for T=0 cards, tested with the Beglian eID card. Shalom-Salam, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Transparent keyboards
This thread is taking a turn to the absurd, and I have been thinking about it. I fully support the ability to maintain your right to privacy, such as the government has granted you, to it's fullest. However, if you're involved in a terrorist movement, and it appear the original poster is if the government is involved in one, even if it's under the guise of "animal rights" (as if they have any), then I support the ability of law enforcement to investigate, prosecute and convict the peretrator. Good grief, if you need to be that paranoid, then maybe you should find a more legal cause to be involved in. peace, clark 'the dragon' willis PSA: Salary <> Slavery. If you earn a salary, your employer is renting your services for 40 hours a week, not purchasing your soul. Your time is the only real finite asset that you have, and once used it can never be recovered, so don't waste it by giving it away. I work to live; I don't live to work. "Time is the coin of your life. It is the only coin you have, and only you can determine how it will be spent. Be careful lest you let other people spend it for you." Carl Sandburg (1878 - 1967) ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Key signing policy
On Monday 05 September 2005 4:09 am, Cameron Metzke wrote: > Does anyone have solid written key signing policy? I don't think there is one policy to fit all needs. There are FAQ's and HOWTO's on keysigning events/parties and lots of groups have their own policies for their own needs. There are also tools like CA Bot (by Peter Palfrader) and others that help in keysigning - particularly when keys and identities are verified at distant events and the participants won't necessarily meet again for a considerable time. http://www.palfrader.org/#cabot http://cabot.alioth.debian.org/ There's a very simple HOWTO for those who don't know the details of *how* to sign a key: http://gnupg.neil.williamsleesmill.me.uk/book1.html A more general FAQ based on the GNU Privacy Handbook: http://www.dcglug.org.uk/linux_adm/gnupg.html and containing it's own keysigning guide: http://www.dcglug.org.uk/linux_doc/gnupgsign.html And the general keysigning HOWTO: http://www.cryptnet.net/fdp/crypto/gpg-party.html All are written from a standpoint of a loose association of GnuPG users who correspond regularly by email and meet occasionally or just once. Each document tends to consider participants as individuals with their own individual key(s) and with no "group key" or "group hierarchy". i.e. they are policies for friends/contacts, not necessarily policies for employer/employees. These may need to be adapted for your purposes. The main DCGLUG guide at http://www.dcglug.org.uk/linux_doc/startgnupg.html is licenced under the GNU Free Documentation Licence. -- Neil Williams = http://www.data-freedom.org/ http://www.nosoftwarepatents.com/ http://www.linux.codehelp.co.uk/ pgpi6ywY8eEIf.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Transparent keyboards
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Greg Sabino Mullane wrote: > > >>>Once a computer or other device that needs secure access is sufficiently >>>protected, it becomes cheaper for a large government agency to resort to >>>bribery or torture to get the information it wants. Assuming they do not >>>wish to try bribery, are you sure you want your machine that safe? > > > That's a silly argument. Because they are ways of obtaining your > passphrase by force, you shouldn't bother using one or take other > protective measures? Last I heard, the government of Finland was not > known for torturing its citizens. I do not say you should not take protective measures. I just say to consider that if your protective measures are so effective that using force or torture are cheaper than the alternatives, that you expose yourself to such measures if your information is actually worth it. I am glad Finland is such a country. But what if an agency known to employ torture, or not known do do so but that does, chooses to operate in Finland, most likely withouth the knowledge or consent of the government of Finland... ? > > >>>I assume you are using gnupg for all your correspondence with everyone. If >>>you encrypt only your sensitive communications, it will be painfully obvious >>>which of your e-mails to decrypt, saving the black hats a lot of trouble. > > > A lot of trouble in what way? Do you know of a black hat agency able to > decrypt exi[s]ting gpg-encrypted messages? It is pretty easy once they have the passphrases or private keys. And once a suitable keylogger is in there, they get them very easily. I imagine if the NSA really wanted to decrypt a gpg-encrypted message, they have the resources to do it. It would probably take them a while if they had to use brute force (and perhaps that is what they would do, again, if they felt the information was actually worth it). Probably no one on this newsgroup actually knows how much compute power the NSA has at its disposal. At one time, the budget of the NSA was about 10x the budget of the CIA (to the great annoyance, apparently, of the DCI). I imagine a lot of their budget was spent on computing equipment, general purpose and special purpose. > > The original poster may want to check out "Tinfoil Hat Linux"[1] which has > some interesting capabilities, including an anti-keylogger measure. A > laptop or PDA with its own keyboard could be useful as well. > > [1] http://tinfoilhat.shmoo.com/ > - -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 08:15:00 up 82 days, 2:11, 4 users, load average: 5.23, 5.18, 4.91 -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDHDkNPtu2XpovyZoRAiN7AJ91pz9h5uqJ1vsJBeTju61Klda5lwCfU4dL YH5/sZwJd7XqYHRKx6KkjNU= =QRHs -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Signing MS-Excel spread sheets
Kimmo Surakka wrote: Berend Tober wrote: Indeed, and I even included in my original post "(Aside from the obvious -- "Stop using MS-Excel!" -- because that is a failure I cannot control...)". Kids these days Anyway, I've looked at WinPT and GPGee and one other GUI wrapper around gnupg, but they all of course are victims of this MS Excel "feature", and furthermore none of them satisfy my other need to be able to support multiple persons signing any given document, either (cf. other mailing list message thread "Multiple signatures on a single file"). Just my two cents worth: isn't it true that most Windows zippers can open a file "from inside a zip archive", i.e. uncompress it transparently to a temp directory and open from there? One easy-to- use solution could therefore be to store the Excel file inside a zip archive, and then sign that archive? When the second person opens the spreadsheet, all the changes Excel wants to do are done to the temporary copy -- not the actual spreadsheet itself. The sounds like it would work, but I don't like the idea of imposing the extra layer of the separate zip application like this between the document and the signing step -- although it could be the approach we have to take if we bring this to the next level and scan the supporting documents (i.e., receipts) to jpeg files for inclusion along with the spread sheet -- which would be pretty cool. However, I still have the issue being discussed in a separate-but-related thread concerning co-signatures. The comand script I'm refining seems to do all that I need, even if it has some rough edges: gpg --sign.cmd: @echo off if .%1. == .. exit attrib +r %1 gpg --detach-sign --armor --comment "Signature of %USERNAME%" --local-user %USERNAME% -o - %1>>%1.asc along with gpg --verify.cmd: @echo off gpg --verify %1 echo. pause to list the co-signators. Lastly, I make short cuts in the Windows "Send To" folder, putting these two features in the Explorer context menu. Seems to work o.k. -- BMT ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Multiple signatures on a single file
Alphax wrote: -BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 Berend Tober wrote: Is it possible to have multiple persons sign a single file? If so, how is this done? The particular scenario is currently this: Employees submit expense reports for business travel using a spread sheet. Current practise is the the employee fills out spread sheet via computer (or optionally prints blank spread sheet template and writes by hand with a pen), physically signs using pen and ink, physically delivers signed hardcopy to supervisor for supervisor pen-and-ink signature prior to payment processing. Desired practise is to eliminate both producing hard copy and pen-and-ink signatures, and then re-work the process using gpg electronic signatures. Thus, employee would enter data into expense report spread sheet, save, gpg sign, mail to supervisor, supervisor would (presumably) open and review spread sheet, close without changing, gpg sign, and then return to employee or forward to accounting dept. Sounds straightforward, but I didn't spot in the various manuals/guides/how-to's for gnupg how a second individual could add their signature after me. Use detached signatures? Generate a key to sign the document with, and have that key signed by the supervisor? What I don't like about doing that explicitly is that every additional signature, at least in the default operational mode, appends an additional ".sig" file extension. Further more, the signatures are wrapped withing one another, so that to verification would require serial verification of each preceding outer layer signature. What I've been refining during the last couple days uses a command line script to append additional detached signatures into a single signature file. This approach models more directly the co-signature concept of legacy contracts, i.e., think of buying a house -- you and you spouse are co-signators rather than having one sign the contract and the other sign the others signature. What you suggested models the concept of a notary public witnessing a signature, but that we already have by signing public keys in the trust model. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
RE: OpenPGP Card
>I'd already offered the use of my PKCS #11 interface code from cryptlib for GPG use some time ago. This > should do everything you need and has had years of tuning to work with all the bugs in various PKCS #11 > drivers, it's vastly easier than going through the entire learning curve yourself. Nice! The conclusion of my discussion with people here is that the need of using PKCS#11 for accessing various smartcards is not clear. I've tried to highlight the advantages of using standard software API to access external devices, but I've failed. Best Regards, Alon Bar-Lev. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Signing MS-Excel spread sheets
Berend Tober wrote: Indeed, and I even included in my original post "(Aside from the obvious -- "Stop using MS-Excel!" -- because that is a failure I cannot control...)". Kids these days Anyway, I've looked at WinPT and GPGee and one other GUI wrapper around gnupg, but they all of course are victims of this MS Excel "feature", and furthermore none of them satisfy my other need to be able to support multiple persons signing any given document, either (cf. other mailing list message thread "Multiple signatures on a single file"). Just my two cents worth: isn't it true that most Windows zippers can open a file "from inside a zip archive", i.e. uncompress it transparently to a temp directory and open from there? One easy-to- use solution could therefore be to store the Excel file inside a zip archive, and then sign that archive? When the second person opens the spreadsheet, all the changes Excel wants to do are done to the temporary copy -- not the actual spreadsheet itself. Kusti ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGG Card
Benjamin Donnachie <[EMAIL PROTECTED]> writes: >I saw that... Perhaps we should "fork" GPG and work on a PKCS#11 compliant >version... I'm fairly new to smartcards, but I have a fair bit of other >programming experience... I'd already offered the use of my PKCS #11 interface code from cryptlib for GPG use some time ago. This should do everything you need and has had years of tuning to work with all the bugs in various PKCS #11 drivers, it's vastly easier than going through the entire learning curve yourself. Peter. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [outlgpg] Outlook 2002 Crash
Am Mon, 2005-08-29 um 20.15 schrieb Ryley Breiddal: > I'm running Outlook 2002 SP2 on Windows 2000, and whenever I try to sign > a message, Outlook crashes. There was a report recently, archived at > http://lists.gnupg.org/pipermail/gnupg-users/2005-August/026511.html > whose symptoms match mine exactly. > > I have GPGExch.dll version 0.6.1 and libgpgmedlgs.dll version 0.99.4. > My GPG version is 1.4.2 (I installed WinPT 0.10.0). Please use the new GPGol version. The old 'OutlGPG' version will no longer be maintained and is now replaced with GPGol. Timo ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [Sks-devel] Re: zero-length MPIs
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 David Shaw wrote: > Try this patch. I get an MPI error with this patch I didn't get with Klaus'. *snip* gpg: mpi larger than indicated length (2 bytes) gpg: keyring_get_keyblock: read error: invalid packet gpg: keydb_get_keyblock failed: invalid keyring *snip* Adam Schreiber - -- Why isn't all of your email protected? http://gnupg.org http://enigmail.mozdev.org http://seahorse.sourceforge.net -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD4DBQFDFnvqjU1oaHEI4wgRAv/MAKCltzlrWdWElPm4Gis173DWKeHKvACYyJdW xXcd3RTxVp7/8OF7TeezrA== =bdKw -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
[outlgpg] Outlook 2002 Crash
Hi there, I'm running Outlook 2002 SP2 on Windows 2000, and whenever I try to sign a message, Outlook crashes. There was a report recently, archived at http://lists.gnupg.org/pipermail/gnupg-users/2005-August/026511.html whose symptoms match mine exactly. I have GPGExch.dll version 0.6.1 and libgpgmedlgs.dll version 0.99.4. My GPG version is 1.4.2 (I installed WinPT 0.10.0). I've noticed a couple things. The GnuPG prefs dialog seems to lose my settings on a fairly regular basis, seemingly on the crashes. I also get a mix of crashes that pop up the "send a report to MS" dialog and ones that just silently close Outlook. The loss of settings always comes with the first group of crashes. The settings that keep getting lost are specifically "Also encrypt with default key" and the logging location. The stuff in advanced always stays the same. Path to key-manager binary question - I saw somewhere that I should set it to "PATH/WinPT.exe --keymanager" but I can't get it to accept anything but "PATH/WinPT.exe". Any suggestions? Similarly to Richard, I haven't figured out how to get a stack trace out of Outlook yet, but I'm working on it. In the meantime, I'm happy to provide any other information that might be of interest. Please CC any replies to me, as I'm not on the mailing list. Regards, ___ Ryley Breiddal PresiNET Systems ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [Sks-devel] Re: zero-length MPIs
-BEGIN PGP SIGNED MESSAGE- I can confirm too that the patch of David Shaw is working fine. Thanks. Regards, Klaus. Adam Schreiber wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Please ignore my previous email. The patch works for me. > > > Adam Schreiber > > - -- > Why isn't all of your email protected? > http://gnupg.org > http://enigmail.mozdev.org > http://seahorse.sourceforge.net > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.4.2 (GNU/Linux) > Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org > > iD8DBQFDFnx3jU1oaHEI4wgRAihPAJkB2BpJW+fej/HfvStxYCQTdCvETQCg4jA4 > DA7CvncNxh2hDubCGbIoO2A= > =Can1 > -END PGP SIGNATURE- - -- Klaus Singvogel SUSE LINUX Products GmbH Maxfeldstr. 5 E-Mail: [EMAIL PROTECTED] 90409 Nuernberg Phone: +49 (0) 911 740530 Germany GnuPG-Key-ID: 1024R/5068792D 1994-06-27 -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iQCVAwUBQxbl7rbjw8ZQaHktAQF9PgP/Z0Xs81u0SjC98iCK9mmQEKI/c/5Q54CO /fj/LkkunLQ7r+5ywwxJ/5htLEHKz4iY5QCvYCGc72H8S0IqX1KN3ThTTTsWiDy6 FWVb/svpOfQks9Zu6MJegxiphX+oHwieza6SVB3Y5/r2pC/gzQF3syiC/YOoI6r1 DbMPEtF0FSE= =ran3 -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [Sks-devel] Re: zero-length MPIs
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Klaus Singvogel wrote: > Please confirm me, that my thinking is correct here. I'm not sure if Klaus' thinking is correct, but his patch clears up the MPI errors I was receiving. Adam Schreiber - -- Why isn't all of your email protected? http://gnupg.org http://enigmail.mozdev.org http://seahorse.sourceforge.net -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDFgCEjU1oaHEI4wgRAnQdAKDJfzhnHslrWKd7CCz0j2NiA1TM8QCglrwF S4UcEMVOzn+TRmQvHkh25Ks= =f736 -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [Sks-devel] Re: zero-length MPIs
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Please ignore my previous email. The patch works for me. Adam Schreiber - -- Why isn't all of your email protected? http://gnupg.org http://enigmail.mozdev.org http://seahorse.sourceforge.net -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDFnx3jU1oaHEI4wgRAihPAJkB2BpJW+fej/HfvStxYCQTdCvETQCg4jA4 DA7CvncNxh2hDubCGbIoO2A= =Can1 -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Multiple signatures on a single file
Is it possible to have multiple persons sign a single file? If so, how is this done? The particular scenario is currently this: Employees submit expense reports for business travel using a spread sheet. Current practise is the the employee fills out spread sheet via computer (or optionally prints blank spread sheet template and writes by hand with a pen), physically signs using pen and ink, physically delivers signed hardcopy to supervisor for supervisor pen-and-ink signature prior to payment processing. Desired practise is to eliminate both producing hard copy and pen-and-ink signatures, and then re-work the process using gpg electronic signatures. Thus, employee would enter data into expense report spread sheet, save, gpg sign, mail to supervisor, supervisor would (presumably) open and review spread sheet, close without changing, gpg sign, and then return to employee or forward to accounting dept. Sounds straightforward, but I didn't spot in the various manuals/guides/how-to's for gnupg how a second individual could add their signature after me. -- BMT ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: PKCS#11 support for gpg-agent
--- Werner Koch <[EMAIL PROTECTED]> wrote: > It may not be widely adopted but nevertheless it is > the standard to > make sure that confidential information can be send > over the Internet. > It is used all over the Net and major industry > players are using it > and even requring that suppkiers are using PGP. > > The IETF has not decided whether OpenPGP or S/MIME > will be the > preferred standard. I don't mean to get involved in the heated discussion about smart cards and the like, but since it has been raised, I would welcome some clarification about gpg-1.9, and the thinking behind adding support for s/mime. What is the "roadmap" (from the point of view of users) for gpg? Is there any sense in which opengpg is, or may be soon, a deprecated standard? Beyond the pros and cons of centralised CAs, what are the advantages of the two? It seems to be the case that amongst individuals and open source projects, openpgp is in very wide use (these things are relative!) - and given the ease with which openpgp has shown it can adapt to emerging security threats I would expect that to continue. I have no idea at all how well commercial pgp is doing. Best, N. ___ To help you stay safe and secure online, we've developed the all new Yahoo! Security Centre. http://uk.security.yahoo.com ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
