Re: commands for gpg keychain access
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Apr 16, 2007, at 12:49 AM, Charly Avital wrote: > For this, you have to edit the contents of your gpg.conf file. > I understand you are using GPG Keychain Access. Open its > Preferences..., > that are also accessible from the Apple Menu/System Preferences/ > GnuPG icon. I tried to edit the contents, but when I click on GnuPG in system preferences I get the message "You cannot open GnuPG preferences pane on this computer. Contact the developer of this software for a newer version." Anyone have any idea what my problem is? Should I try to reinstall? (I'm using 1.4.7.) Or is there some work-around? > You can also, in that same GnuPG (System Preferences) window, go to > 'Expert', hit the 'Reveal in Finder' button, that will make visible > and > graphically accessible the contents of /.gnupg (the gpg home > directory). > Click the gpg.conf file, open it with a text editor (you have TextEdit > in your operating system) and add the two separate lines: > enable-dsa2 > digest-algo SHA256 I looked at this last night, and may take a crack at editing it if I can't get the preference panel to work. Thanks or the help. Rick -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (Darwin) iD8DBQFGJJwL8lNvqJ0VfDERAtpeAJ9pJu6FePYnNaQNUIKI51GicbG/hACfVD+e 8MXssHtGRCJB5dL3ABBu+xw= =E6s1 -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Decrypting multiple files gives errors
is there another forum where i can ask this? i've used gnupg for a long time and now i'm losing some faith in it's stability due to this problem... thanks fourthirtysix wrote: > > I'm getting errors when i try to decrypt multiple files at the same time > with --decrypt-files. When I do files individually, they seem to decrypt > fine. When I do multiple files, the first file decrypts fine, but all the > others give errors like this: > > gpg: encrypted with 2048-bit ELG-E key, ID 12345678, created 2007-01-01 > "John Smith <[EMAIL PROTECTED]>" > gpg: WARNING: multiple plaintexts seen > gpg: handle plaintext failed: unexpected data > > I'm using gpg (GnuPG) 1.4.6 on Ubuntu 7.10 and this error is occuring on > two different computers using the same keys. > > Please help! I don't want to have to decrypt one at a time! > > Thanks > > > -- View this message in context: http://www.nabble.com/Decrypting-multiple-files-gives-errors-tf3545285.html#a149 Sent from the GnuPG - User mailing list archive at Nabble.com. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How to protect private keys?
Hi! Moses schrieb: > How to better protect private keys of GPG users? Apart from the *very* good point of Robert, your ürivate key is still protected by its passphrase after you run "gpg --export-secret-key". It therefore cannot be used by someone who does not know the passphrase (however, when someone is able to run commands under your user account, installing a keyboard sniffer should not be too difficult). The export only gives an attacker convenient access to the key file. But if he can run gpg commands, he could just copy your secring.gpg anyway, so he already has access to the secret key. Asking for a passphrase to export the key would not change anything. In fact, if you do not intentionally share your user account on your machine, accessing the secret keyring file itself might be achieved far easier (i.e. via insecure file permissions on ~/.gnupg) than running GnuPG commands under your user account. So, make sure that nobody except you can execute "gpg --export-secret-key" (on your keyrings) in the first place... :-) cu, Sven ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Batch Mode and decrypt
On Tue, Apr 17, 2007 at 10:27:35AM -0500, jane grove wrote: > Thanks, David. I still have a question though: > > In my script, I used the command > "gpg --batch --passphrase-fd 0 -d [INPUTFILE]" > to decrypt my "INPUTFILE". When I run the script, it pauses and wait > for the passphrase. If I enter the passphrase, the script goes > through well. If I hit enter without the right passphrase, the script > complains about not having the right passphrase. > > How can I run this script in silent mode, feed the passphrase to it > automatically? I am trying not to interact with the script during its > running. --passphrase-fd 0 means "give me the passphrase on fd 0 (i.e. stdin)". This is for people who have this sort of thing in their script: program_that_prints_the_passphrase | gpg --passphrase-fd 0 If you don't have that sort of structure, --passphrase-fd isn't useful to you. You sound that you want --passphrase-file or just --passphrase. Again, though, if you're going to actually code the passphrase into the script itself, why have a passphrase at all? David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Lost passphrase
John W. Moore III wrote the following on 4/17/07 3:51 PM: [...] > > If You are unable to Revoke the former Key then by all means; Generate a > New Key (and create a standby Revoke cert) and Publish this Key *AND* > notify every critical correspondent of the new Key! Still, those folks > who Search for your Key via Email Address may send You encrypted Email > using the Former/Compromised Key. (Shake Head sadly and mutter, "Ah Shit") > > I suggest You Move On (sadder but wiser) and accept that that You have > made a common misstep on the path to Secure Communication. If I may add one piece of "cobbler's approach" to the perfectly correct advice given by John. There is a most inelegant way to warn the folks worldwide that your previous key is unusable: when you generate your new key, and get to the "Comment" phase, you might insert something like "Key ID 0x5E6CBE2D unusable", if 0x5E6CBE2D is the key whose passphrase you have lost. Like I said, the cobbler's approach. Charly ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Batch Mode and decrypt
Thanks, David. I still have a question though: In my script, I used the command "gpg --batch --passphrase-fd 0 -d [INPUTFILE]" to decrypt my "INPUTFILE". When I run the script, it pauses and wait for the passphrase. If I enter the passphrase, the script goes through well. If I hit enter without the right passphrase, the script complains about not having the right passphrase. How can I run this script in silent mode, feed the passphrase to it automatically? I am trying not to interact with the script during its running. Thanks - Jane On 4/14/07, David Shaw <[EMAIL PROTECTED]> wrote: > On Sat, Apr 14, 2007 at 10:23:24PM -0500, jane grove wrote: > > Hello, > > I am trying to use the GnuPG command "decrypt" in batch mode (i.e. in a > > script). > > When I use the option "--batch", I don't have a way to enter the user > > id or passphrase. > > Look at the --passphrase-fd, --passphrase-file, or --passphrase > options. They are all in the manual, and can be used to provide a > passphrase during batch operation. > > However, if you are including the passphrase in a script, it is worth > asking yourself if there is any security benefit in having a > passphrase-protected key at all. After all, an attacker who gets > access to the script needs merely to read it to know the passphrase. > > David > ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Batch Mode and decrypt
The 0 in "--passphrase-fd 0" is the number of the file descriptor from which gpg will read the passphrase. In this case, 0, is stdin. Since you didn't attach stdin to a pipe or a file through redirection, stdin is still attached to your terminal. You aren't being "prompted" for your passphrase, gpg is just reading from your terminal (a pipe) which doesn't have any data to read until you type it in. You can redirect stdin two ways, either a pipe: $ cat passphrase_file | gpg --passphrase-fd 0 ... or from the stdin redirection $ gpg --passphrase-fd 0 ... < passphrase_file. Reading from stdin doesn't necessarily mean it must come from a file. Your passphrase can come from a program that writes the passphrase to stdout: $ my_agent | gpg --passphrase-fd 0 ... And however "my_agent" securely stores your passphrase is left as an exercise to the reader (e.g database). On Apr 17, 2007, at 8:27 AM, jane grove wrote: Thanks, David. I still have a question though: In my script, I used the command "gpg --batch --passphrase-fd 0 -d [INPUTFILE]" to decrypt my "INPUTFILE". When I run the script, it pauses and wait for the passphrase. If I enter the passphrase, the script goes through well. If I hit enter without the right passphrase, the script complains about not having the right passphrase. How can I run this script in silent mode, feed the passphrase to it automatically? I am trying not to interact with the script during its running. Thanks - Jane On 4/14/07, David Shaw <[EMAIL PROTECTED]> wrote: On Sat, Apr 14, 2007 at 10:23:24PM -0500, jane grove wrote: Hello, I am trying to use the GnuPG command "decrypt" in batch mode (i.e. in a script). When I use the option "--batch", I don't have a way to enter the user id or passphrase. Look at the --passphrase-fd, --passphrase-file, or --passphrase options. They are all in the manual, and can be used to provide a passphrase during batch operation. However, if you are including the passphrase in a script, it is worth asking yourself if there is any security benefit in having a passphrase-protected key at all. After all, an attacker who gets access to the script needs merely to read it to know the passphrase. David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users smime.p7s Description: S/MIME cryptographic signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Lost passphrase
Hi! Thomas Sowa schrieb: > - i can't revoke it --> no passphrase :-( > - i still need the email adresses with the useless keys > - i definitely can't find the passphrase Well, the severity of the problem depends on whether your "forgotten" keys are available on the public keyservers. If not, you're quite fine: Just generate a new key and distribute this to your friends along with a note to delete the old key. If yes, you're quite screwed as it will stay there forever: New contacts will not know which key to choose when they look your name up on the keyservers. People might be smart enough to use the newer of the two keys. If you don't rely so much on the keyservers to distribute your key, it is also less of a problem. This *will* sort itself out, however, after the email exchange with them has begun: If you receive a message encrypted to your old key, you would email them back to use the new one instead. It is just an inconvenience to set up the "communication channel" to you. Once your communication partner has the correct key in his local keyring, everything will be fine. In any case, create a new key. You might change something in the UIDs but it is not really necessary. The creation date can serve as a discriminator between the two keys. For your new key, immediately after generating it, create a "revocation certificate" and store it in a safe place. You can later use it to revoke the key without a passphrase, see the man-page and other docs for more details. It is also extremely helpful to set an expiration date to your key (you can alwys extend it and re-distribute the key). HTH, Sven ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Decrypting multiple files gives errors
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 This is a new security feature. Use the new option "--allow-multiple-messages" to avoid the error. - -Patrick fourthirtysix wrote: > is there another forum where i can ask this? i've used gnupg for a long time > and now i'm losing some faith in it's stability due to this problem... > thanks > > > > fourthirtysix wrote: >> I'm getting errors when i try to decrypt multiple files at the same time >> with --decrypt-files. When I do files individually, they seem to decrypt >> fine. When I do multiple files, the first file decrypts fine, but all the >> others give errors like this: >> >> gpg: encrypted with 2048-bit ELG-E key, ID 12345678, created 2007-01-01 >> "John Smith <[EMAIL PROTECTED]>" >> gpg: WARNING: multiple plaintexts seen >> gpg: handle plaintext failed: unexpected data >> >> I'm using gpg (GnuPG) 1.4.6 on Ubuntu 7.10 and this error is occuring on >> two different computers using the same keys. >> >> Please help! I don't want to have to decrypt one at a time! >> >> Thanks >> >> >> > -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEVAwUBRiTBIncOpHodsOiwAQKWrwf/ZvNCU6bA3tmf0/Gw3Do0N2dd9nVW3vQy LbmE8QZwxdUdQwOta9zVZ3WjBrppKqFdyTXUel9/NI0xjJkO/xUZKiPRflDyvCmx lmjkA+WkTCvJdRPz5JIKLzRXkxyPoYCONoPg7ktoyHdTgSZqDVzwt6HZciPNrTAg 0JWlfqgk4TMU+FIHzbZ99DL/xQcUR4zODQHAaWMihM+v+QSBvo3DeLlUT9duFFx7 vKgmLE/KoLnUF3kOd4OD/jvbJieNKDnUhWULl4ZDbspgH5VlpGO+JL2t2vhwLZuo ErAm1z4hNzboH1rV1Qmivsh9Yg77szETUfFEI58ntsrieVz7YhRSWQ== =+TjR -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Decrypting multiple files gives errors
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 fourthirtysix wrote: > is there another forum where i can ask this? i've used gnupg for a long time > and now i'm losing some faith in it's stability due to this problem... I Cannot think of a Better Forum than this! This List is regularly read by the very PPL who write/design the Code for GnuPG. YES; there are other arenas where You may Post disparaging remarks; but none that will attempt to address your concerns/fears. Since Werner, David & many Others Freely give time & attention to this Project (ask for g10 Rates) I believe that your requests/concerns are given 'weight' by being mentioned here. My Personal suspicion is that You are a Member of the 'ME Generation' and are accustomed to instant gratification. :-\ Please be patient and Your issues *will* be addressed and responded to. JOHN :-\ Timestamp: Tuesday 17 Apr 2007, 08:38 --400 (Eastern Daylight Time) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8-svn4476: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: http://www.gswot.org Comment: My Homepage: http://tinyurl.com/yzhbhx iQEcBAEBCgAGBQJGJL/wAAoJEBCGy9eAtCsPSs8IAIdR2q29Rk+mK+DdAscjfTQD 9x22loJShXx9SSEvjtQwseSDGQ/9ezlLfsy4mi/c9r0fymcvRoKZFOmxwo6s3NQx aOanZwJ2oOFQ4xjGXqjcvLHQqioNgFrPjZXR6KoxsnEg8PaZVdWXoldq2xMXA7/d TMA6SgAlBxrUbXIo7pr7CaxwK5Uyz4gPl0wizHvc7/BGmewhgncU9neCoenToKm7 hThLFq77kxh8qTR9OW6kWqqYq+LUFBfGPt/zw+t5W5K0N90ZeZAAXR7qE+wz+o2e Mqrw7ej6riH8xeTnqNWAKkp8Ha5wMQ2IOvpTiJJpA0lXSe95u+CosDBFCOBHd9I= =GgNN -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Lost passphrase
Hi, a while ago I was experimenting with gpg and mutt, made some keys and uploaded them. Then there was little time to play with it so I forgot about it for a while and kept using my old mailer without the keys. Now I just found the time again to set it all up like it should, and realized that I wasn't cautious enough not to loose the passphrase. Well, I know already, that it was stupid, so please don't make me feel worse than I feel already, but I would appreciate if you could give me some hints whats the best I could do now. - i can't revoke it --> no passphrase :-( - i still need the email adresses with the useless keys - i definitely can't find the passphrase My ideas were to make new keys using my name without the middlename, but for the same email adresses, but I quess it will confuse people. Thanks for feedback, Thomas ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Lost passphrase
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 > - i can't revoke it --> no passphrase :-( > - i still need the email adresses with the useless keys > - i definitely can't find the passphrase OK, Stupid Response Question First: Did You have the common sense to generate a Revocation Certificate immediately after creating the Key? (i.e. While You could remember the passphrase) If You did; then simply Import the this Revoke Cert and ship the Dead Key to the Servers. If not; and I suspect this is the case, then You have a Major Problem. You may be screwed; However You are not the first individual to confront this problem and, sadly, won't be the last. If You are unable to Revoke the former Key then by all means; Generate a New Key (and create a standby Revoke cert) and Publish this Key *AND* notify every critical correspondent of the new Key! Still, those folks who Search for your Key via Email Address may send You encrypted Email using the Former/Compromised Key. (Shake Head sadly and mutter, "Ah Shit") I suggest You Move On (sadder but wiser) and accept that that You have made a common misstep on the path to Secure Communication. JOHN ;) Timestamp: Tuesday 17 Apr 2007, 08:51 --400 (Eastern Daylight Time) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8-svn4476: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: http://www.gswot.org Comment: My Homepage: http://tinyurl.com/yzhbhx iQEcBAEBCgAGBQJGJMLEAAoJEBCGy9eAtCsPFnwH/0COq203wlxm7kEidOk741RS +XKbKhTzGOyRjTAeH47sqXXSHjLQyUr7/p/YV3RFsq8eh4fBC2wrYhsqIE/TaWE+ 8ven/9QMEzHCik3h4pGZ12TyGN4Ze9AqBvsftYj5tbXIu+v/vFF8aj/zxj4Hkdp1 NTzDq7igh56Bi6ABHWww0I5ddvVvHu6e+aUNEN1OE+g8Jjs8ALCC7QTk24D2FiwP tL7CIWCT4xZcmS13eAAHLOlgnpbRXleU5YywGLNBz+rXDanQVnjCx/5YuRt8clLt u3RHhw83DukwZtNnlmb+c0p9lOkzHtdrn7999YUWODt9gvKGWVI3inWTUaqi8u8= =yVFN -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Lost passphrase
Sven Radde wrote: > If yes, you're quite screwed as it will stay there forever: New contacts > will not know which key to choose when they look your name up on the > keyservers. People might be smart enough to use the newer of the two > keys. If you don't rely so much on the keyservers to distribute your > key, it is also less of a problem. > This *will* sort itself out, however, after the email exchange with them > has begun: If you receive a message encrypted to your old key, you would > email them back to use the new one instead. It is just an inconvenience > to set up the "communication channel" to you. Once your communication > partner has the correct key in his local keyring, everything will be fine. I would add to this not to forget the role of Web of Trust in OpenPGP. To mitigate the effect of losing control of a key, get anyone who signed your public key (if applicable) to revoke their sigs on the old key and sign your new one, setting up new in-person meetings as necessary. The consensus of even one person you have in common could be a sufficient clue as to which one is _probably_ right. Mis dos centavos PSM signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
gpgsm --import of CA certificate: Bad signature?
Hi! I'm trying to get Scute working in Mozilla (as a first step
towards making GnuTLS also use it as a PKCS#11 module). I imported my
newly generated certificate into gpgsm as follows:
[EMAIL PROTECTED]:~$ gpgsm --import .gnupg/test-key.pem
gpgsm: issuer certificate {E93C1CFBAD926EE606A4562CA2E1C05327C8F295} not found
using authorityKeyIdentifier
gpgsm: issuer certificate (#/CN=GnuTLS test CA) not found
gpgsm: issuer certificate {E93C1CFBAD926EE606A4562CA2E1C05327C8F295} not found
using authorityKeyIdentifier
gpgsm: total number processed: 1
gpgsm: unchanged: 1
[EMAIL PROTECTED]:~$
I guessed that it wouldn't hurt to import the CA certificate too. But
here's what happened then:
[EMAIL PROTECTED]:~$ gpgsm --import
~/src/www-gnutls/test-credentials/x509-ca.pem
gpgsm: self-signed certificate has a BAD signature: Bad signature
gpgsm: basic certificate checks failed - not imported
gpgsm: total number processed: 1
gpgsm: not imported: 1
[EMAIL PROTECTED]:~$
As far as I can tell, there is nothing wrong with this certificate.
Ideas?
You can retrieve the certificate from:
http://www.gnu.org/software/gnutls/test-credentials/x509-ca.pem
I'm using GnuPG 2.0.3.
I don't know if it is relevant, but the list of 'Supported algorithms'
seems rather short:
[EMAIL PROTECTED]:~$ gpgsm --version
gpgsm (GnuPG) 2.0.3
Copyright (C) 2007 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.
Home: ~/.gnupg
Supported algorithms:
[EMAIL PROTECTED]:~$
/Simon
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Batch Mode and decrypt
David Shaw wrote: > Again, though, if you're going to actually code the passphrase into > the script itself, why have a passphrase at all? On this subject, you should also know that, if you can enter your passphrase on the system once each time the system starts up, you may find a combination of gpg-agent (from gnupg-2) and keychain (a Gentoo-originated script, http://www.gentoo.org/proj/en/keychain/ , that auto-instantiates and auto-reuses ssh-agent and/or gpg-agent) to be useful. It's slightly more secure than writing your passphrase to your hard drive, and the measures required to get at your key are slightly more drastic. (Incidentally, this is probably not the forum to ask for help about keychain. :-) Good fortune PSM signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Gnupg cannot handle extremely large keys on 32 bit Linux
Benjamin Donnachie wrote: > At the moment... I'm sorely tempted to tell them to poke it where the > sun doesn't shine at the moment... :-/ Apologies for any confusion - just to clarify, it's my work that can stick it not you guys! :-) Ben ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpgsm --import of CA certificate: Bad signature?
On Tue, 17 Apr 2007 20:14, [EMAIL PROTECTED] said:
> As far as I can tell, there is nothing wrong with this certificate.
> Ideas?
If you look at the pkcs#1 encoding, you get:
Your certificate:
0 30 31: SEQUENCE {
2 307: SEQUENCE {
4 065: OBJECT IDENTIFIER sha1 (1 3 14 3 2 26)
: }
11 04 20: OCTET STRING
: 2D E8 78 BE 21 E4 F4 3F FE 26 9F F3 20 20 9C BC
: D3 CE E6 23
: }
gpgsm constructs this pkcs#1 to compare it against yours:
0 30 33: SEQUENCE {
2 309: SEQUENCE {
4 065: OBJECT IDENTIFIER sha1 (1 3 14 3 2 26)
11 050: NULL
: }
13 04 20: OCTET STRING
: 2D E8 78 BE 21 E4 F4 3F FE 26 9F F3 20 20 9C BC
: D3 CE E6 23
: }
Thus we have an extra NULL and that is the reason that it does not
verify. I am too tired to read pkcs#1 know; will do that tomorrow.
Anyway it is the first case that I noticed such a pkcs#1 encoding.
> I don't know if it is relevant, but the list of 'Supported algorithms'
> seems rather short:
Well there is no routine yet to print them. It would actually be a long
list given all the OIDs you may use to tell taht it is RSA or SHA1 or
whatever.
Salam-Shalom,
Werner
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Lost passphrase
Thomas Sowa <[EMAIL PROTECTED]> wrote: I have read what everybody has said on the subject and one thing needs to be said again. THE DEFAULT EXPIRE FOR A NEW KEY NEEDS TO BE FOR TWO YEARS FROM DATE OF KEY CREATION! If they want to change it after they have used them for a while and like what they have, then they can extend the TTL for a greater period of time. I was going to go into detail on why but rather than doing that, Thomas, wouldn't you like your first key to eventually die (even though it looks like it was created less than four months ago)? Don't the rest of you want the same? I DO! Most of the people that are in this situation will have lost their pass-phrase and will not have used their keys for 1-2 years. With luck it will be over two years, and the old keys will have already gracefully expired and died. It seems like geniuses (excuse me for not being in that category) would see this. For that matter, I think the pressure to shove their keys on to key-servers immediately just needs to be dropped. I finally caved in and put my keys on the key-servers even though my keys are obviously tied to a nom-de-guerre and therefore are NOT part of the WOT. BUT THEY HAVE A TTL OF LESS THAN ONE YEAR NOW! When they die, they die, and I will generate a new set of keys, just like Johannes Ulrich (SANS) and others do. His time span is a year though. My new keys will also have a TTL, and it won't be infinity! Increasing computing power alone have made such things as DES almost laughable now. Keys shouldn't be made with the idea that they can last forever. I don't blame Thomas. People make mistakes. A system that doesn't take that into account needs to make some changes to minimize the impact of a mistake. HHH ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Lost passphrase
> I have read what everybody has said on the subject and one > thing needs to be said again. THE DEFAULT EXPIRE FOR A NEW > KEY NEEDS TO BE FOR TWO YEARS FROM DATE OF KEY CREATION! That's making some really big assumptions about the security policy of the person making the key. There are also a lot of perfectly good alternatives which should perhaps be excluded first. Also, a two-year expiration date will do very little to help people who forget their passphrases within a few weeks of creating keys. Once you remember the passphrase for a few weeks, it'll be in your head forever. > For that matter, I think the pressure to shove their keys > on to key-servers immediately just needs to be dropped. A key which cannot be found is a liability, not an asset. The keyservers exist to be used. > Increasing computing power alone have made such things as > DES almost laughable now. Keys shouldn't be made with the > idea that they can last forever. There are two responses to this, both of which are factually accurate: 1. We are unlikely to ever be able to brute-force a 256-bit keyspace. Ever. Not until computers are made of something other than matter, occupy something other than space, run on something other than energy, according to rules other than physics. 2. This is a reason to advocate forethought when generating keys, not a reason to advocate just one method of solving the problem. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
