Re: smartcard and ssh
Alex Mauer wrote: Remco Post wrote: hmmm, more problems. I've decided that the ubuntu packages are broken. I'll try again in a new release or when I gain some more patience ;-) Have you looked for and/or reported the bugs you found? It works for me pretty much out of the box with ubuntu/feisty, less so with earlier releases. Here are the problems I found and what I had to do to fix them: * gnupg was trying to use pcsc-wrapper at the wrong location (see bug #68047, https://bugs.launchpad.net/ubuntu/+source/gnupg2/+bug/68047 ). It is installed in /usr/lib/gnupg2 rather than /usr/lib/gnupg where the scd is looking for it. This can be solved either by copying the file, or with a symlink. This seems to have been fixed in feisty. ok, that's a nice one * Another was that the ssh-agent support is not enabled out of the box. This may be enabled by editing /etc/X11/Xsession.d/90gpg-agent and adding --enable-ssh-support in the appropriate place (around line 17). I've made a gpg-agent.conf file to the same effect. *The final thing I needed to do was to install the package libpcsclite-dev. This installs the symlink /usr/lib/libpcsclite.so, linked to /usr/lib/libpcslite.so.1.0.0. Or of course, you could create that symlink yourself. This also appears to have been fixed in feisty, though you do still need libpcsclite1 (and pcscd). since normal gpg operations (signing) do work, this doesn't seem to be a problem for me. -Alex Mauer hawke ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users -- Met vriendelijke groeten, Remco Post SARA - Reken- en Netwerkdiensten http://www.sara.nl High Performance Computing Tel. +31 20 592 3000Fax. +31 20 668 3167 PGP Key fingerprint = 6367 DFE9 5CBC 0737 7D16 B3F6 048A 02BF DC93 94EC I really didn't foresee the Internet. But then, neither did the computer industry. Not that that tells us very much of course - the computer industry didn't even foresee that the century was going to end. -- Douglas Adams ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: smartcard and ssh
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Alex Mauer wrote: Remco Post wrote: hmmm, more problems. I've decided that the ubuntu packages are broken. I'll try again in a new release or when I gain some more patience ;-) Have you looked for and/or reported the bugs you found? It works for me pretty much out of the box with ubuntu/feisty, less so with earlier releases. Here are the problems I found and what I had to do to fix them: * gnupg was trying to use pcsc-wrapper at the wrong location (see bug #68047, https://bugs.launchpad.net/ubuntu/+source/gnupg2/+bug/68047 ). It is installed in /usr/lib/gnupg2 rather than /usr/lib/gnupg where the scd is looking for it. This can be solved either by copying the file, or with a symlink. This seems to have been fixed in feisty. ok, installing gnupg2 and symlinking this file as well as the libpcslite helped, thanks a lot! * Another was that the ssh-agent support is not enabled out of the box. This may be enabled by editing /etc/X11/Xsession.d/90gpg-agent and adding --enable-ssh-support in the appropriate place (around line 17). *The final thing I needed to do was to install the package libpcsclite-dev. This installs the symlink /usr/lib/libpcsclite.so, linked to /usr/lib/libpcslite.so.1.0.0. Or of course, you could create that symlink yourself. This also appears to have been fixed in feisty, though you do still need libpcsclite1 (and pcscd). -Alex Mauer hawke ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users - -- Met vriendelijke groeten, Remco Post SARA - Reken- en Netwerkdiensten http://www.sara.nl High Performance Computing Tel. +31 20 592 3000Fax. +31 20 668 3167 PGP Key fingerprint = 6367 DFE9 5CBC 0737 7D16 B3F6 048A 02BF DC93 94EC I really didn't foresee the Internet. But then, neither did the computer industry. Not that that tells us very much of course - the computer industry didn't even foresee that the century was going to end. -- Douglas Adams -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQCVAwUBRcrxnCrZkcVehrp5AQKo2wP9GNeFlAKXH1J6xCml/tCoap16xxqn8lEp JZ99bwap7GpChuX0qEfHZT6KDK5GuVlJgJ8HzkOmERy/lXIw423bR/M1sWJH/DI2 NTeYiGZ0etS9yDGn6fGfHnLZLpN9djbEYTHCehNz7futl+oYFZxygzP6i8jPFsq3 PxqQf3E3rU4= =GUgP -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Keyrings for websites
Hello, With the current growth of online services that talk to eachother (the web2.0) I thought it a good idea to think about a way to determine trust between the sites. If my site shares its spam tokens, comments, search results, tags and pictures (etc) with a cloud of sites, it could be a good idea to establish a trust-ring. I therefore thought it an interesting idea to make keys not just for people, but for a website. That way I can sign public keys from other sites and give them a trust weight. That way one can establish a web of trust between sites. A good way to make sure spammers don't get inbetween your comments, for example. By allowing so called trackbacks from trusted sites only, one can reduce the amount of spam greatly. By sending my tags to trusted sites only, I can make sure that not some malafide content thief runs off with my valuable content, yet still share it. It is still an idea. And no code is made yet. But I am heavy into Drupal (been full time developer for it for over 4 years), and I can introduce this concept there, then hope it takes off into wordpress, plone and other Open Source, or Closed source CMses. All I need is some general idea wether or not this will a) work at all and b) is possible with gnupg, and c) if it would not 'threaten' gnug too much. thanks for reading, Bèr -- Drupal, Ruby on Rails and Joomla! development: webschuur.com | Drupal hosting: www.sympal.nl pgp9Gy0ES3V0N.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Keyrings for websites
You might want to check out Domain Keys which is used to authenticate email sessions between MTA's. Also, peer-to-peer authentication can be accomplished via X.509 certificates and SSL. Joe On Feb 8, 2007, at 5:03 AM, Bèr Kessels wrote: Hello, With the current growth of online services that talk to eachother (the web2.0) I thought it a good idea to think about a way to determine trust between the sites. ... Bèr -- smime.p7s Description: S/MIME cryptographic signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
gen-key non-interactively
I'm wanting to pass all of the information that gpg needs to create a key (key size, type, expiration, userid, etc) initially and not have gpg keep pausing to ask the user. I've read the man page, read gpg --help, googled, and I still cant figure out how to pass those things to gpg while using --gen-key. Any help would be *greatly* appreciated. Thank you, Mark Pinto ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gen-key non-interactively
here's an expect-based function i use in a bash script for just such purpose,
# function: DO_GENKEY_SESSION
# auto-execute a GPG --gen-key session
# usage:
# DO_GENKEY_SESSION (SELECTION) $NOTATION $COMMENT
# gen-key dialog options (SELECTION):
# Please select what kind of key you want:
# (1) DSA and Elgamal (default)
# (2) DSA (sign only)
# (3) DSA (set your own capabilities)
# (5) RSA (sign only)
# (7) RSA (set your own capabilities)
DO_GENKEY_SESSION () {
echo START: $COMMENT
VAR=$($EXPECT -c
spawn $GPG $GPG_RING_OPTS --expert --cert-notation $NOTATION
--gen-key
set timeout -1
stty -echo
expect \Your selection? \
exp_send \$1\n\
expect -re \(What keysize do you want\?).*(\[0-9\]*) \
exp_send \$BITS\n\
expect \Key is valid for? (0) \
exp_send \0\n\
expect \Is this correct? (y/N) \
exp_send \y\n\
expect \Real name: \
exp_send \$NAME_REAL\n\
expect \Email address: \
exp_send \$EMAIL\n\
expect \Comment: \
exp_send \$SIG_COMMENT\n\
expect \(O)kay/(Q)uit? \
exp_send \O\n\
expect \Enter passphrase: \
exp_send \$PASS\n\
expect \Repeat passphrase: \
exp_send \$PASS\n\
expect exp_continue -continue_timer
)
echoDONE
}
of course, you define/pass/replace the various vars as you need/like ...
hth!
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gen-key non-interactively
On Thu, 8 Feb 2007 10:59, [EMAIL PROTECTED] said: I'm wanting to pass all of the information that gpg needs to create a key (key size, type, expiration, userid, etc) initially and not have gpg keep pausing to ask the user. I've read the man page, read gpg --help, googled, and I still cant figure out how to pass those things to gpg while using --gen-key. Any help would be *greatly* Check out the the file DETAILS. It should explain everything. I have copied the section below. Shalom-Salam, Werner Unattended key generation = This feature allows unattended generation of keys controlled by a parameter file. To use this feature, you use --gen-key together with --batch and feed the parameters either from stdin or from a file given on the commandline. The format of this file is as follows: o Text only, line length is limited to about 1000 chars. o You must use UTF-8 encoding to specify non-ascii characters. o Empty lines are ignored. o Leading and trailing spaces are ignored. o A hash sign as the first non white space character indicates a comment line. o Control statements are indicated by a leading percent sign, the arguments are separated by white space from the keyword. o Parameters are specified by a keyword, followed by a colon. Arguments are separated by white space. o The first parameter must be Key-Type, control statements may be placed anywhere. o Key generation takes place when either the end of the parameter file is reached, the next Key-Type parameter is encountered or at the control statement %commit o Control statements: %echo text Print text. %dry-run Suppress actual key generation (useful for syntax checking). %commit Perform the key generation. An implicit commit is done at the next Key-Type parameter. %pubring filename %secring filename Do not write the key to the default or commandline given keyring but to filename. This must be given before the first commit to take place, duplicate specification of the same filename is ignored, the last filename before a commit is used. The filename is used until a new filename is used (at commit points) and all keys are written to that file. If a new filename is given, this file is created (and overwrites an existing one). Both control statements must be given. o The order of the parameters does not matter except for Key-Type which must be the first parameter. The parameters are only for the generated keyblock and parameters from previous key generations are not used. Some syntactically checks may be performed. The currently defined parameters are: Key-Type: algo-number|algo-string Starts a new parameter block by giving the type of the primary key. The algorithm must be capable of signing. This is a required parameter. Key-Length: length-in-bits Length of the key in bits. Default is 1024. Key-Usage: usage-list Space or comma delimited list of key usage, allowed values are encrypt, sign, and auth. This is used to generate the key flags. Please make sure that the algorithm is capable of this usage. Note that OpenPGP requires that all primary keys are capable of certification, so no matter what usage is given here, the cert flag will be on. If no Key-Usage is specified, all the allowed usages for that particular algorithm are used. Subkey-Type: algo-number|algo-string This generates a secondary key. Currently only one subkey can be handled. Subkey-Length: length-in-bits Length of the subkey in bits. Default is 1024. Subkey-Usage: usage-list Similar to Key-Usage. Passphrase: string If you want to specify a passphrase for the secret key, enter it here. Default is not to use any passphrase. Name-Real: string Name-Comment: string Name-Email: string The 3 parts of a key. Remember to use UTF-8 here. If you don't give any of them, no user ID is created. Expire-Date: iso-date|(number[d|w|m|y]) Set the expiration date for the key (and the subkey). It may either be entered in ISO date format (2000-08-15) or as number of days, weeks, month or years. Without a letter days are assumed. Preferences: string Set the cipher, hash, and compression preference values for this key. This expects the same type of string as setpref in the --edit menu. Revoker: algo:fpr [sensitive] Add a designated revoker to the generated key. Algo is the public key algorithm of the designated revoker (i.e. RSA=1, DSA=17, etc.) Fpr is the fingerprint of the designated revoker. The optional sensitive flag marks the designated revoker as sensitive
Re: Keyrings for websites
Hello, Op donderdag 8 februari 2007 15:36, schreef Joseph Oreste Bruni: You might want to check out Domain Keys which is used to authenticate email sessions between MTA's. Also, peer-to-peer authentication can be accomplished via X.509 certificates and SSL. Ye, I am aware of the X.509 to authenticate servers. Also I know my way around in the SSL stuff. This, however, is a different thing then what I want to achieve. I am not so much interested in secure connections, nor in authentication, between peers. What I want, is a way to say 'look, I am Foo.com, and I trust Bar.com ultimately. Since you trust me, you can trust Bar.com too'. That way one can allow sign-ins from other trusted sites, trackbacs etc. Thanks for the feedback, though. Bèr -- Drupal, Ruby on Rails and Joomla! development: webschuur.com | Drupal hosting: www.sympal.nl pgpmY9BiHcGAE.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
making a passphrase by doubling a password and tweaking the end
(This is as much about ssh as gpg, but I figure there should be some passphrase expertise here.) Suppose my shell password is SapNilph4 (I just got that from APG), is it stupid to make a passphrase for an ssh or gpg key by doubling it and changing the end, for example SapNilph4SapNilph3? Or am I really wasting potential entropy this way? thanks ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gen-key non-interactively
On Thu, Feb 08, 2007 at 04:59:26AM -0500, Mark Pinto wrote: I'm wanting to pass all of the information that gpg needs to create a key (key size, type, expiration, userid, etc) initially and not have gpg keep pausing to ask the user. I've read the man page, read gpg --help, googled, and I still cant figure out how to pass those things to gpg while using --gen-key. Any help would be *greatly* appreciated. Make a file that looks like this: %echo Generating a standard key Key-Type: DSA Key-Length: 1024 Subkey-Type: ELG-E Subkey-Length: 1024 Name-Real: Joe Tester Name-Email: [EMAIL PROTECTED] Passphrase: abc %pubring foo.pub %secring foo.sec # Do a commit here, so that we can later print done :-) %commit %echo done Then do: gpg --batch --gen-key /path/to/the/file/above End result will be a public key in foo.pub and secret key in foo.sec. See the DETAILS file (in the doc directory) for the various things you can do. David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: making a passphrase by doubling a password and tweaking the end
Suppose my shell password is SapNilph4 (I just got that from APG), is it stupid to make a passphrase for an ssh or gpg key by doubling it and changing the end, for example SapNilph4SapNilph3? Or am I really wasting potential entropy this way? Stupid? No. May not be especially wise, though. GnuPG passphrases, like root login passwords, are very high-value secrets. You should plan for them to be compromised at some point. If your root login gets compromised and your GnuPG passphrase is derivable from your root login, then you've got two high-value secrets compromised. Vice- versa is the same way. So while no, you're not wasting entropy, this may not be wise due to how it complicates your failsafe plans. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gen-key non-interactively
I strongly advise against using expect to generate keys. Your expect script will break when we change the text that GPG displays. If you want to generate keys unattended, then use the --batch --gen-key interface. i clearly understand that, and will manage my script(s) accordingly. thanks. :-) fwiw, the snippet i attached is a part of a larger, expect-based script i use to roll-out gpg key packages to new employees. as 'batch' support is only, currently provided (afaict ...) for gen-key, i simply use expect (even though i think it's a major pita!) to be consistent across all my other script functions. atm, there's no other convenient full-autommation option that i'm aware of; and, again, yes, i know it's 'upgrade fragile'. thanks. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP card and secret keys
Werner Koch wrote: Okay, so it is not a communication problem with teh card. Please run gpg --debug 64 --clearsign test.txt To see why gpg tries to use the primary key. aha! it does not. It's trying to use a different subkey instead. Surely missing secret key parts would be cause to reject that subkey as a candidate for use, and just because secret parts are missing for one subkey doesn't mean they're missing for all subkeys, right? $ gpg --debug 64 --clearsign test.txt gpg: DBG: finish_lookup: checking key 51192FF2 (all)(req_usage=0) gpg: DBG: using key 51192FF2 gpg: DBG: finish_lookup: checking key 51192FF2 (all)(req_usage=1) gpg: DBG: checking subkey 4A1C1224 gpg: DBG: subkey looks fine gpg: DBG: checking subkey F4878DDE gpg: DBG: usage does not match: want=1 have=2 gpg: DBG: checking subkey 9A37EEFF gpg: DBG: subkey looks fine gpg: DBG: using key 9A37EEFF gpg: DBG: cache_user_id: already in cache gpg: secret key parts are not available gpg: no default secret key: general error gpg: test.txt: clearsign failed: general error secmem usage: 1408/3488 bytes in 2/15 blocks of pool 3488/32768 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gen-key non-interactively
On Thu, Feb 08, 2007 at 04:59:26AM -0500, Mark Pinto wrote: I'm wanting to pass all of the information that gpg needs to create a key (key size, type, expiration, userid, etc) initially and not have gpg keep pausing to ask the user. I've read the man page, read gpg --help, googled, and I still cant figure out how to pass those things to gpg while using --gen-key. Any help would be *greatly* appreciated. If you are trying to do this as part of a bigger program, you might want to check out the gpgme and libgcrypt libraries. Otherwise, the gnupg manual page mentions an experimental method for using --gen-key non-interactively, which is described in the DETAILS file in the doc/ subdirectory of the gnupg source archive. Thus, you need to download the gnupg source (either 1.4.x or 2.0.x, depending on which version you're using anyway), read the doc/DETAILS file, and see if the method described there works for you. I just tried it with GnuPG 1.4.6, and it worked just fine here. G'luck, Peter -- Peter Pentchev [EMAIL PROTECTED][EMAIL PROTECTED][EMAIL PROTECTED] PGP key:http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 If the meanings of 'true' and 'false' were switched, then this sentence wouldn't be false. pgpZ6dwa2Lk5f.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Keyrings for websites
On Thu, Feb 08, 2007 at 01:03:05PM +0100, B?r Kessels wrote: Hello, With the current growth of online services that talk to eachother (the web2.0) I thought it a good idea to think about a way to determine trust between the sites. If my site shares its spam tokens, comments, search results, tags and pictures (etc) with a cloud of sites, it could be a good idea to establish a trust-ring. I therefore thought it an interesting idea to make keys not just for people, but for a website. That way I can sign public keys from other sites and give them a trust weight. [snip] It is still an idea. And no code is made yet. But I am heavy into Drupal (been full time developer for it for over 4 years), and I can introduce this concept there, then hope it takes off into wordpress, plone and other Open Source, or Closed source CMses. All I need is some general idea wether or not this will a) work at all and b) is possible with gnupg, and c) if it would not 'threaten' gnug too much. It ought to be both possible and trivial. ISTR several discussions on this mailing list, where people mentioned using PGP keys (or rather, uid's) with only names, no e-mail addresses. You could either use such keys with the hostname (or the full path to the web application) placed directly in the name part of the user ID, or develop some kind of machine-readable encoding to represent a host name, application path, application name, or any level of detail you feel comfortable with, and then place those in the name or the comment part of the key's user ID. After that, proceed as usual - sign the user-ID with the key itself (GnuPG should do that as part of the key generation anyway), sign it with your own key, and send the public key to the others. They should generate keys for their web apps too, sign them with their own (developers') keys, and send them to you. Then each of you establishes his own trustdb, places trust in (some of) the developers' keys, and off you go. G'luck, Peter -- Peter Pentchev [EMAIL PROTECTED][EMAIL PROTECTED][EMAIL PROTECTED] PGP key:http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 This inert sentence is my body, but my soul is alive, dancing in the sparks of your brain. pgp6yO5HMcwWw.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Keyrings for websites
Peter Pentchev wrote: using PGP keys (or rather, uid's) with only names, no e-mail addresses. You could either use such keys with the hostname (or the full path to the web application) placed directly in the name part of the user ID, or develop some kind of machine-readable encoding to represent a host name, application path, application name, or any level of detail you feel comfortable with, and then place those in the name or the comment part of the key's user ID. After that, proceed as usual - This sort of overloading of the name/comment/email fields bothers me. I wish that UIDs were more of a key/value system (one key/value pair per IUID), e.g. name=William Surrey, [EMAIL PROTECTED], [EMAIL PROTECTED], comment=Billy's key, alias=Bill; or name=Example's awesome wiki!, hostname=www.example.org, application=mediawiki (for the purpose given above). I'm thinking something equivalent to what vorbis comments are for ogg vorbis audio files. See http://xiph.org/vorbis/doc/v-comment.html Of course, I doubt that the OpenPGP spec allows for this sort of extensibility in the comments, or if it does that anyone's willing to implement it (or it would have been done by now). But it sure would be great if it were to happen. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Keyrings for websites
Alex Mauer [EMAIL PROTECTED] writes: This sort of overloading of the name/comment/email fields bothers me. I wish that UIDs were more of a key/value system (one key/value pair per As far as I understand it there are no such fields. User ID is freeform, just a string. So feel free to put in Key: Value or whatever you'd like to. Thomas ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Keyrings for websites
On Thu, Feb 08, 2007 at 05:32:30PM +0100, B??r Kessels wrote: Hello, Op donderdag 8 februari 2007 15:36, schreef Joseph Oreste Bruni: You might want to check out Domain Keys which is used to authenticate email sessions between MTA's. Also, peer-to-peer authentication can be accomplished via X.509 certificates and SSL. Ye, I am aware of the X.509 to authenticate servers. Also I know my way around in the SSL stuff. This, however, is a different thing then what I want to achieve. I am not so much interested in secure connections, nor in authentication, between peers. What I want, is a way to say 'look, I am Foo.com, and I trust Bar.com ultimately. Since you trust me, you can trust Bar.com too'. That way one can allow sign-ins from other trusted sites, trackbacs etc. Thanks for the feedback, though. Check out OpenID, although it is not cryptography based (AFAIK). Alex -- JID: [EMAIL PROTECTED] PGP: 0x46399138 od zwracania uwagi na detale są lekarze, adwokaci, programiści i zegarmistrze -- Czerski ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gen-key non-interactively
On Thu, 8 Feb 2007 16:51, [EMAIL PROTECTED] said: Otherwise, the gnupg manual page mentions an experimental method for BTW, I forgot to remove the experimental tag. That is a stable feature and useful for production. Salam-Shalom, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Keyrings for websites
On Thu, 8 Feb 2007 20:10, [EMAIL PROTECTED] said: wish that UIDs were more of a key/value system (one key/value pair per You may use notations for this. They are however stored with the self-signature, so some care needs to be taken. If you need something simialr to the user ID, use the User Attribute Packet (Tag 17). It is currently only used for the photo ID but it may be extended. From the latest OpenPGP I-D: The User Attribute packet is a variation of the User ID packet. It is capable of storing more types of data than the User ID packet which is limited to text. Like the User ID packet, a User Attribute packet may be certified by the key owner (self-signed) or any other key owner who cares to certify it. Except as noted, a User Attribute packet may be used anywhere that a User ID packet may be used. While User Attribute packets are not a required part of the OpenPGP standard, implementations SHOULD provide at least enough compatibility to properly handle a certification signature on the User Attribute packet. A simple way to do this is by treating the User Attribute packet as a User ID packet with opaque contents, but an implementation may use any method desired. The User Attribute packet is made up of one or more attribute subpackets. Each subpacket consists of a subpacket header and a body. The header consists of: - the subpacket length (1, 2, or 5 octets) - the subpacket type (1 octet) and is followed by the subpacket specific data. The only currently defined subpacket type is 1, signifying an image. An implementation SHOULD ignore any subpacket of a type that it does not recognize. Subpacket types 100 through 110 are reserved for private or experimental use. Salam-Shalom, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
GnuPG on MS Vista
Hi, it appears to be impossible to connect to any keyservers through gpg on my newly installed Vista box. I have disabled UAC and im running as admin, so that should not be the cause of any problems. Whenever i try to get something from a keyserver i get: gpg: refreshing 1 key from hkp://pgpkeys.pca.dfn.de gpg: requesting key from hkp server pgpkeys.pca.dfn.de gpgkeys: no key data found for hkp://pgpkeys.pca.dfn.de/ gpg: no valid OpenPGP data found. gpg: Total number processed: 0 All the keyservers i have tried works well when using their web interface. Does anyone know how to solve this problem? signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: New command line language parameter
Werner Koch said: On Mon, 5 Feb 2007 14:57, [EMAIL PROTECTED] said: I tried the SET LANG=xx and as far as i read in the GPG documentation and mailing list's posts, this is only for POSIX systems, not for windows, at least in windows doesn't work in all the ways i tried. You are right. It works for GPA but not for GPG because with gpg we use a simplified version of gettext. This is easy to fix. I'm afraid the only way to use a language file in windows is the registry or a new command line parameter. No. A command line option won't work because how would you then print a localized message like invalid option or diagnostics printed even before any option has been parsed. Now be patient here for a moment. All of the following IS related to running GnuPG on Windows! To lead it all off, if you are running as an Administrator user all the time on Windows you are doing the equivalent of RUNNING AS root ALL THE TIME ON A UNIX SYSTEM! The present Windows GnuPG 1.4.X installs assume people do this. Most of them probably do run their Windows system this way, but that doesn't make it the only way, and I believe it is NOT THE RIGHT WAY! Microsoft isn't helping them do it properly either. NOW HAVING SAID WHAT I JUST SAID, IF YOU ARE *NOT* A MICROSOFT WINDOWS USER DELETE THIS MESSAGE AND MOVE ON! TRUST ME! You are wasting your time reading unless you use Microsoft Windows either ALL or a substantial amount of the time. You will just get confused until you understand how Microsoft Windows works. Even a lot of full-time Microsoft Windows users don't know how it works. I should know. I help them all the time and am apalled at how little they know about a system they have used for years. Some of them I have given up on them EVER understanding their systems. Where is the URL on setting these language settings in the HKCU registry keys? I am getting ready to put a lot of this stuff up on web pages. I already have a ZIP file with SOME of what is needed in it. I will have a web page or a set of web pages that will be devoted strictly to GnuPG (1.4.x) on Windows. I WILL provide REG files for what some people think in this forum are strange situations. I suppose this could be one of them. I posted an actual REG file in this forum and somebody didn't even see the REG4 at the top of it and said I should provide the actual REG file. I DID provide the actual REG file! All they had to do was to copy and paste, AND THEN ALTER SOME VARIABLES. You cannot use ENVIRONMENT variables in a REG file since they are part of the registry anyway. But this forum is NOT the right place to do it. What I posted was partially wrong anyway. It had the HKLM entries which I will either let the install do, or provide an HKLM.reg file. What is needed for most people are the HKCU keys for each Windows user that is running as a restricted user. You can fix the code if you want to Werner, but the proper way for a lot of this stuff on Windows is to put it into the registry. Even the ENVIRONMENT variables are stored in, you guessed it - THE REGISTRY! They are in the HKLM hive for the ones in the lower everybody panel and in the HKCU area for the ones in the uppger panel if you use the Control Panel method to look at the environment variables. There are several other things going along with this like the fact that without using higher order registry editing tools (not regedit) you can't normally dive into anybody else's HKCU hive. You normally only see your own (the one belonging to who you logged in as). Reading and adding or modifying somebody else's HKCU entries is possible but I consider that more esoteric than just providing somebody with a REG file and telling them to modify it. I am looking at writing a program that will actually create the REG file for them (yes, overkill, but it saves people from typing mistakes). What is being provided in the GnuPG install is only suitable for idiots who run as an Administrator, all the time with only one account on the system and that one is an Administrator account (you need at least one). They can keep their account as an Administrator and install the Drop My Rights program (which I give to everybody because that is usually more than they can do even if I provide them *.lnk files to paste onto the desktop and in the Start folders which even then they seem to muck up): http://tinyurl.com/3u46a That is unsuitable because likely or not somebody is going to message the default browser which is running in admin space and can thus modify the HKLM keys and all the files in the %WinDir% folder and all sub-folders. Even if the browser is messaged into running with lower privileges via DropMyRights.exe, a RealPlayer or Windows Media Player is messaged into running as the logged in user. Windows dows NOT fork off the App like Unix systems do. Nevertheless, that is what I used for years on Administrator accounts for my logon type administrator accounts. There IS a better
Re: GnuPG on MS Vista
On Thu, Feb 08, 2007 at 09:24:17PM +0100, Jørgen Lysdal wrote: Hi, it appears to be impossible to connect to any keyservers through gpg on my newly installed Vista box. I have disabled UAC and im running as admin, so that should not be the cause of any problems. Whenever i try to get something from a keyserver i get: gpg: refreshing 1 key from hkp://pgpkeys.pca.dfn.de gpg: requesting key from hkp server pgpkeys.pca.dfn.de gpgkeys: no key data found for hkp://pgpkeys.pca.dfn.de/ gpg: no valid OpenPGP data found. gpg: Total number processed: 0 All the keyservers i have tried works well when using their web interface. Does anyone know how to solve this problem? Can you do the request, but add --debug 1024 --keyserver-options use-temp-files keep-temp-files There will be a line that says something like DBG: Using temp file such-and-such. Send me the tempin.txt and tempout.txt file. David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GnuPG on MS Vista
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 There will be a line that says something like DBG: Using temp file such-and-such. Send me the tempin.txt and tempout.txt file. David-- Vista has radically changed the process of compiling code for the platform. Neither MinGW nor Cygwin GCC work under Vista without substantial kludges and workarounds; Microsoft recommends against VS.NET and VS2003; VS2005 is only supported with the latest service pack and some known issues. GnuPG will not build with VS2005 without some major overhauls to the build environment. While I know that generally the Windows build system involves Linux and a cross-compiler for Win32, it's very possible behind-the-scenes changes in Vista will lead to breakage. It may be worth considering telling people that Vista is an unsupported OS for GnuPG 1.4.x. (goes back to hacking CMake and VS2005's command-line compiler) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (Darwin) iQEcBAEBCAAGBQJFy47oAAoJELcA9IL+r4EJeqAH/0Vdb98seQf6gtE8HQLoilgz l/FaqsxYT1yoq+2rbUcrGyMfBXkeXZMgK31DbEEIapdGSNtwgts0KuIlI7d2y542 IVfe1orchdUtbCJYDAimKufsOlAAl9bqz0gFKvR9VXW+S/YKBMvMjwzxlmSXjZsp 6FkJhPsVDkWWVYinUu8IYHYRp4FdxSQIz5Y4+m2X1SKwLQTTSukGj1QF9x7XTewT ZO75khQLDT5tbQZM0hvCM90jCWhQb7viw9N1NVsI6RkjOwvv3qRFeavHme/6KDlB th884fOga/7K0GNmTqNFdkvV2FK8GDf7LNkeXkNZiQBrd5srKAve7VmdSmkfXkg= =Zs3+ -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GnuPG on MS Vista
Robert J. Hansen skrev: It may be worth considering telling people that Vista is an unsupported OS for GnuPG 1.4.x. But will it be supported in any near future? signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GnuPG on MS Vista
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 But will it be supported in any near future? That's up to the GnuPG developers, and whether they have any Vista boxes available to do regression testing on. They may have already tested it against Vista; I don't know. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (Darwin) iQEcBAEBCAAGBQJFy53iAAoJELcA9IL+r4EJQaAH/1lDIIFrnuHMIKidli6PDD0q +lDHObUHNlAaYOwQinui+O4lyZT2NohRW/ADmtZCw3/qb3H9yhfslQJGuM+8Fqs/ WEjQIbVnVajK6mW5XRE2935YObq8pQKejpcvNS7Bf9sIvj/rQTy9gIzdPYQw/pdM aBpwzTAVyITFWVPZLnokHgudBMZ4d+kuWB9SKrQ84hpAdTUPbmuRlK1Mq7yttMAX osXMOUWhwcP8v0O2NIGgfGwSQrVtezMbdGH10Ezs8DqtKq5mTnSp7BOkWjMpBZsm UMR13AqN8OqPUxeuLHmyzWxdJ8lm8D7of3rMVEtvteGCOqhvgs588j6DNUNub9s= =yLXD -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: New command line language parameter
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 The present Windows GnuPG 1.4.X installs assume people [run as Administrator]. The installer requires Administrator rights to install to the program files directory, just like every other Win32 program that wants to install there. Once installed, GnuPG does not require Administrator rights to run. All they had to do was to copy and paste, AND THEN ALTER SOME VARIABLES. This is unwise from a security perspective. Messing up a registry file can have terrible consequences. If you're advocating that people make edits to a registry file without understanding the registry, what they're looking at, what they're changing, etcetera, then disaster is waiting in the wings. Regular users should not edit the Windows registry. Ever. There are several other things going along with this like the fact that without using higher order registry editing tools (not regedit) you can't normally dive into anybody else's HKCU hive. This is by design; it's an important security mechanism. Alice shouldn't be allowed to inspect or modify Bob's registry entries. Only the Administrator should have access to everyone's registry entries. Please consider the implications of advocating that people bypass a security mechanism so they can install a piece of security software. It doesn't make much sense. What is being provided in the GnuPG install is only suitable for idiots who run as an Administrator, all the time with only one account on the system and that one is an Administrator account... Please do not insult regular users by calling them idiots. The GnuPG installer is suitable for many kinds of Windows users. Speaking for myself, I administer a small XP network with several users, all of whom have GnuPG available to them. Their user accounts don't have Administrator privileges. The installer worked just fine for us. One of the things that has occurred to me is to ask the question can I make GnuPG say a signed message is okay whether it is or not? By that I mean, can I by changing just the message strings of GnuPG make all signed messages show up as okay? Sure. But if you install it as Administrator, then you need Administrator privileges to modify the file. If a malicious attacker has Administrator access to your Windows box, then it's a game-over condition anyway and there's nothing GnuPG can do to fix this. If you don't think that if GnuPG takes off like mad on Windows According to the Enigmail folks, their number of Windows downloads are routinely an order of magnitude larger than their number of UNIX downloads. This strongly suggests more people run GnuPG on Windows than run GnuPG on UNIX. That is probably more of a flame against Windows users who run their systems in a stupid manner than a slam against Microsoft, although Microsoft doesn't help very much. Again, we don't need to insult either users or corporations as being stupid. If any of you have information of running GnuPG in a Windows environment with some other way of doing it other than as always one user with an Administrator account ship it to me. Get the zip archive, uncompress it to some directory you own, add that directory to your own personal PATH. On the other hand if you want to flame me and say I am stupid, or that I need lessons in writing, or that all I am doing is spamming like a University Computer Science Professor recently said I was doing (I believe he was the department chair), I'm not a professor. I'm a pre-comps Ph.D. candidate in computer science. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (Darwin) iQEcBAEBCAAGBQJFy6YRAAoJELcA9IL+r4EJw1MH/0pbmIf7FiLrt1Q7b7g/udTF Urg+DxdhmjujowJLg1qIcD6ntmkiItCjp2ww3zff8/We12faktxt72gyXoV+Qgw+ 1gLa1EqATXrLVKxighkg/Yw0PT1yGGHnqFvbnTBT48N5sD8RRjxhu71yD5JzuQCJ mQS8RF2xGArb0qJTCns0QGsPyD5S83+IE4rMVO6Uc16dpAJmFNdEVlKGcnd2EFU3 aiJ5Mv0tJScPyjP7aGVbCN8nx1eHgwfj8KKK/ExdjkyTaj3ZqMyi8F9zjD2oT28y etHbI2/ifMZlFEvk9FtWwP+Vx/p08F2vMFpP0G4F4iIZnVRJBWKIjbzpyyWx3KY= =iaCr -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
A question...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi: I ask a question: How the two lines are removed that appears above all of the signed of messages? There is some human way to tell him al GnuPG to that show not those two lines of BEGIN PGP MESSAGE? TIA. - -- Slds de Santiago José López Borrazás. Admin de hackindex.com/.es Conocimientos avanzados en seguridad informática. Conocimientos avanzados en redes. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iQIVAwUBRcuUO7uF9/q6J55WAQpemhAAopGfH/12MM15MGw8QVDt+607rSiXOLFr 7EWz+TjCLrykZRnCpejq5Bpi6Px9po4YqMyXHJUnHIGuGxlBBCKIXCuohzqlCmJY Gq8DcY+MXAszqMmpIeLYxYkhRivCJnx7vN+S6AxAvb6wtsChZ53DJDT7fhRpSCHQ ENEMQqN+AXue7AHA8mO285v3Ago5MccbxiQ9vR+B4y3+5kosaYJFqThlNfPV8Qws UT/fyfgHQ8nZbQrVlXyLF0Elq32M2sTfecSnL22ZeRfTGpqH2UIZnt00Yo5HJTo4 KRSa+MjlSTTBJfinb/n2yL5aGmxjArdiY/558l+jYIt2dbxpF1t5alXADcBsysJY ZMIcrJLx9A2OB1wr0QOf2KdaI0iKZGLXiR/hEBo6nMue857uB4TdZt0QV76EKsRY k6vRTwofk4CZyhy78ceNf3iCoSDRrMCgQzZpvalBCT5hBGEbwEQaxD+4dsmteFv7 5wEXMcTDSWNHaNoiyGuZZuNRgvkCgsczu1KiTN1MBp8/0bBZ3zNym/bWnZdDkDpp ojoc53ISZwoKji3cxNPuuktcJQBQ7fFrNlJr5GpY+Ssa1hzCZmc3pUIjae6pJB3H y1Cgj4JilKVoltfrrArk0kGyY+SiqaiUt5MnISUl9lXYUD/upq3vJadyQettdP45 /G0iFEGRVys= =LvJD -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: A question...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 There is some human way to tell him al GnuPG to that show not those two lines of BEGIN PGP MESSAGE? Those two lines are required by OpenPGP and must be present in any clearsigned message. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (Darwin) iQEcBAEBCAAGBQJFy6qjAAoJELcA9IL+r4EJ7AgH/2gsEbgOv+mcKDk85YykKIiY NXnn6dajCXg5/cF4MM3Fsnwu/9Ox6cSLUVDCPZKejZsCMEiNLMOrcjh2N/kGt6mw OWL7Xoy7gOdKJI56aFDbQlTu2/xtI702tu+uabPZt8HHoE6Wd+LOhNjeCagl4mk+ lIoOl5BxMfCr658gwv3Z9fVblGL3W4DnrqDMyx/uPJP24y2HqwbY950bN6ONpX6X mganwtJd1Jy/KRuu0628bY14Jxs1DjPQF2zBxnDtTsYx+EJSXgwusnD3N10w6pzX r/OmGWqjDua2b727cnPLTKvnPBXxzFX7QWGucFbFjeu4DJQep5nb9ZXneP4UKHA= =On13 -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: A question...
Hello Santiago ! Santiago José López Borrazás [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 How the two lines are removed that appears above all of the signed of messages? There is some human way to tell him al GnuPG to that show not those two lines of BEGIN PGP MESSAGE? No, there is no human, and inclusive no God, that could remove the two first lines of a PGP message. -- Laurent Jumet KeyID: 0xCFAF704C ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Random numbers
While this may be off-topic, sometimes the community needs a good laugh, and today's XKCD provides a good laugh about random numbers. :) http://www.xkcd.net ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
