Re: OpenPGP digital signature query
David Shaw wrote: > "Sure. They told me some stuff, and I treated it as anecdote until I > got confirmation from an attorney." The correct answer is "yes". On cross-examination you're not allowed to give exposition. So now you've just admitted that your first resource, the group you went to first rather than talking to an attorney, is a group that would fail to meet the standards of the law -- and from that, the lawyer argues your pattern of behavior has been similarly slipshod, etc., etc. > There is nothing wrong with asking questions. It's what you do with the > answers that matters. This is a statement about we wish was true about the world, not what is actually true about the world. Walking up to one's boss and asking, "so why did you screw up this project so badly, and why did you ignore all of our warnings of impending doom, and when are you going to turn around your managerial style?" is the sort of thing that tends to lead to conversations about unemployment benefits. I agree with you that questions can and should be answered in a dispassionate manner. I just disagree about that being the way the world actually _is_. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP digital signature query
On Apr 21, 2009, at 7:38 AM, Robert J. Hansen wrote: David Shaw wrote: "Sure. They told me some stuff, and I treated it as anecdote until I got confirmation from an attorney." The correct answer is "yes". On cross-examination you're not allowed to give exposition. "Your Honor, I object. Assuming facts almost comically not in evidence." The original poster says nothing about using this list as a "first source of information" (your words), or even any words to that effect. In fact, allow me to repost the entire post: > Can OpenPGP digital signature be used to comply to FDA's 21 CFR Part 11 , or does it mandatorily require X.509 or PKI based signatures That's it. One line. You seem to be concluding from this that he has somehow done something wrong by merely asking the question, but I see no actual facts to base that on: merely a guess as to the situation underlying the question, and then scolding the questioner based on your guess. Maybe it would be better let the questioner be responsible for the questioner? I'm happy to continue this discussion offline if you like, but as this no longer has any bearing on GPG or OpenPGP, it seems inappropriate for this list. David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Keyserver doesn't honour signature removal
On Apr 21, 2009, at 1:31 AM, Sven Radde wrote: Hi! David Shaw schrieb: With PKA, you can even get automatic key retrieval without a keyserver. That's not quite right. PKA records in DNS can point to a keyserver, but you still need the keyserver in the mix somewhere (though, like the "preferred keyserver" feature, that "keyserver" might be a key stored on a web server). True, you still need some kind of server (one might argue that even using CERT, you have a 'keyserver' - the DNS server itself). The notable difference, however, is that a web server presents my key exactly as *I* desire, allowing for removed signatures, replacing the key by a new one etc. PKA is the way to get somebody to use my web server already for initial key retrieval (although this might not be the primary purpose of PKA) so that the (synchronizing merge-only) keyserver network is avoided. Absolutely. I do the same thing, just using CERT. CERT has two modes: "PGP" (where the whole key lives in DNS), and "IPGP" for Indirect PGP, where you give a URL as in PKA. IPGP and PKA are basically the same thing from the find-a-key perspective. It's sort of questionable how practical PGP mode is, with the whole key stuffed in to DNS. You'd get into DNS over TCP fairly quickly, and then (poor) firewalls can start being cranky. GnuPG does support getting keys this way, and I suppose it could be useful with a stripped down key (no 3rd party signatures, or even the output of "minimize") and expect that people will eventually learn the rest of the key info from a full keyserver. I suspect the basic idea is more useful for distributing other OpenPGP objects like revocations, as they are quite small and the DNS check for a revocation is quite cheap. IPGP, though, is very handy. CERT is a standardized way (RFC-4398) to put OpenPGP keys in DNS. Unfortunately, my provider does not allow me to set CERT type DNS records. TXT is possible (for, e.g., SPF and PKA). I will ask whether they can do it (since it appears to be natively supported in BIND 9, right?) Ugh, that's a problem. CERT has been supported since mid BIND 8 (and arguably longer since you can do stuff like "TYPE37" and raw encoding), but if your provider doesn't let you set arbitrary records, then you're stuck. I've seen providers that do DNS through a web GUI with a drop-down menu that allows you to choose A, CNAME, or TXT. I suppose we should be grateful they at least allow TXT! David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP digital signature query
Hi, Thanks all for your wise advice. I am basically an engineering student and I wanted the information for my studies. Affording a lawyer for it is beyond my pocket :-), but I highly appreciate your valued advice. Most of the references I read kind of state PKI based digital signatures , but since OpenPGP is so popular, i was wondering if even that can be deployed. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
GNUPG CLI endless loop when using --batch and --decrypt on detached signature file
When automatically processing files, i found that gnupg has an endless loop from stdin expecting something but no matter what you enter, it will never quit. 1. using -verify gpg --no-options --batch --status-fd 2 --yes --output out.out --verify in.in.asc gpg: no signed data gpg: can't hash datafile: file open error this is fine, gpg exits, and returns an error (i need to supply the signed data file) 2. using -decrypt without batch on detached signature file gpg --no-options --status-fd 2 --yes --output out.out --decrypt in.in.asc Detached signature. Please enter name of data file: No such file, try again or hit enter to quit. OK i should enter something and can quit with . 3. now using -decrypt with batch on detached signature file gpg --no-options --status-fd 2 --batch --yes --output out.out --decrypt in.in.asc i can enter what i want - gnupg will never quit - adding --debug-all or -v doesnt reveal anything, only control c will quit - but this doesnt help in a batch processing cronjob or similar. I know that --decrypt is not suited for detached signature files but im talking about batch processing here and i dont have control what files are were - at the very least GPG should quit with an error because of --status-fd 2. According to DETAILS.txt this would be the best case for UNEXPECTED Unexpected data has been encountered 0 - not further specified 1 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Keyserver doesn't honour signature removal
On Apr 21, 2009, at 1:44 AM, Faramir wrote: Sven Radde escribió: PKA is the way to get somebody to use my web server already for initial key retrieval (although this might not be the primary purpose of PKA) so that the (synchronizing merge-only) keyserver network is avoided. But if somebody, by mistake or on purpose uploads your key to a "normal" keyserver... If your preferred keyserver field points to the web server, that would tend to (eventually) remove the normal keyserver from the equation. That way, if they find your key via the keyserver, then they'll still (assuming they haven't changed the default configuration) end up at your web site at refresh time. Personally, I don't worry too much about it. Given the client-centric design of OpenPGP, there will always be ways to get the key from the wrong place. When I update my key, I send it to the keyservers, and stick it on my web site. Whichever the person hits is fine with me (or put another way, it's not as if I have a choice in the matter, so I may as well be fine with it). What does worry me about the keyserver situation is that it is confusing for the newcomer to OpenPGP: there are several different round-robin keyserver setups (with different semantics between them!), there are some servers that still can't cope with subkeys, there is confusion on whether a syncing server is necessary or not, etc. This is visible every time someone asks a keyserver question on this list: each response gives a different recommended server. David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GNUPG CLI endless loop when using --batch and --decrypt on detached signature file
On Tue, 21 Apr 2009 17:25, Harakiri said: > 2. using -decrypt without batch on detached signature file > i can enter what i want - gnupg will never quit - adding --debug-all or -v > doesnt reveal anything, only control c will quit - but this doesnt help in a > batch processing cronjob or similar. You must use --batch in unattended mode unless you write the necessary code to control gpg via --command-fd. Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GNUPG CLI endless loop when using --batch and --decrypt on detached signature file
--- On Tue, 4/21/09, Werner Koch wrote: > From: Werner Koch > Subject: Re: GNUPG CLI endless loop when using --batch and --decrypt on > detached signature file > To: harakiri...@yahoo.com > Cc: gnupg-users@gnupg.org > Date: Tuesday, April 21, 2009, 1:27 PM > On Tue, 21 Apr 2009 17:25, Harakiri said: > > > 2. using -decrypt without batch on detached signature > file > > > > i can enter what i want - gnupg will never quit - > adding --debug-all or -v doesnt reveal anything, only > control c will quit - but this doesnt help in a batch > processing cronjob or similar. > > You must use --batch in unattended mode unless you write > the necessary > code to control gpg via --command-fd. > could you please be a bit more specific? Im using --batch in unattended mode but when i use --decrypt on a detached signature file there is no way to quit the program except control + c - what am i supposed to do? status-fd does not indicate that this is a signature file (not encrypted) - so i cant do anything ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
New to list - though lurking for a bit :)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi all, I don't have any issues running gnupg - at least not on suse 11 with gpa and kde. I do have some issues. Normally, when I deliver boats I have two laptops - - one for navigation systems Professional 2000 and this linux dell latitude - but my other laptop (ibm a21e) died sea water spray not too good on repeated atlantic crossings. Lasted 10 years! Anyway I can take hard disk out of the dell - leave linux at home (cyprus) I've installed thunderbird on pro 2000 but not gnupg yet. Are there any issues I should be aware of prior to or installing gnupg? I want to add enigmail to thunderbird. Is it all plain sailing under Microsoft O/S? recommended frontends would be helpful. Regards, David - -- Confidentiality Statement Wisdom is knowing what to do with what you know. This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use, or distribution of the information included in this message and any attachments is prohibited. If you have received this communication in error email postmas...@gbenet.com. Thank you. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.9 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iEYEARECAAYFAknuGPgACgkQYvuE3Ov+SsB9ygCeOJeXREcMYuzAl0xYKVGiz1kv uMEAnjZPj2yyL2Q2w2YLilcUO1TOR9I4 =7qnp -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: New to list - though lurking for a bit :)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 david wrote: > Are there any issues I should be aware of prior to or installing gnupg? > I want to add enigmail to thunderbird. You should have no problems under W2K Pro. > > Is it all plain sailing under Microsoft O/S? recommended frontends would > be helpful. My personal favorite is GPGshell [http://www.jumaros.de/rsoft/index.html] but Others will surely differ. :) I also recommend that You acquire GnuPG from ftp://ftp.gnupg.org/gcrypt/binary/gnupg-w32cli-1.4.9.exe and then follow the defaults. HTH JOHN ;) Timestamp: Tuesday 21 Apr 2009, 16:03 --400 (Eastern Daylight Time) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10-svn4987: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: https://www.gswot.org Comment: Homepage: http://tinyurl.com/yzhbhx iQEcBAEBCgAGBQJJ7iadAAoJEBCGy9eAtCsP9ToIAIutxlYvQ0EZ8wGtqi//j6Bw zP6N5TN1C74PxZiHubb3XDrRSn8FDeoSnrolC7HMRnzaRwtpRsPvR8f2rBz+5SjZ AP3TgFbpflpjWZaARTY+fse6iXw52XgI/D7iynyIoOst0HnronzR7Ae6cMpS+J8j 8ExrLpcCZDVu7qT+WzIt+gZECu3AM+3XEvKTUu6G6DFkhbAQ2Kyx5NEFfwnkci2f gbnHfQKOSdC/1rsgTW42OTrWSEfU9SsnbyCHyk5P987ZB1LgDl559iUOh4A3lLHJ T22SpQZxBvJ9aM45vxH9hN9ojZLK/kfqhR5gp2HIDabDAUgwPF4Hbaaw4EcyKRk= =51ap -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GNUPG CLI endless loop when using --batch and --decrypt on detached signature file
On Tue, 21 Apr 2009 20:29, Harakiri said: > Im using --batch in unattended mode but when i use --decrypt on a detached > signature file there is no way to quit the program except control + c - what > am i supposed to do? status-fd does not indicate that this is a signature > file (not encrypted) - so i cant do anything According to your problem description you are not using --batch: 2. using -decrypt without batch on detached signature file gpg --no-options --status-fd 2 --yes --output out.out --decrypt in.in.asc If there is a tty available gpg will ask the user. This is a consequence of the option to use gpg in a pipeline - then you need to ask the user for additional data (e.g. the passphrase) without getting into conflicts with the pipeline. Because it is not easy to decide whether a tty is available or not, unattended usage requires the use of the --batch option. Controlling gpg using --status-fd / --command-fd is an advanced method and I can't give an introduction to this right now. Check GPA to see how to write such code (gpa/src/gpgmeedit.c). However, I am pretty sure that you don't want to do this - this is intended for user frontends. Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Further thoughts on Windows Install
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi All, installing gnupg enigma on pro 2000 I have to import files from this linux laptop - are file conventions the same? (a) put linux hard drive on usb and scan for keys public and private via enigmail or gui for gnupg b) copy just the folder of gnupg to usb and scan that (c) can I just copy directory to win 2000 hard drive? Any advice copying/importing between microsoft o/s and linux would be helpful :) Regards, David - -- Confidentiality Statement Wisdom is knowing what to do with what you know. This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use, or distribution of the information included in this message and any attachments is prohibited. If you have received this communication in error email postmas...@gbenet.com. Thank you. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.9 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iEYEARECAAYFAknuo5wACgkQYvuE3Ov+SsAQQQCeJUad7SDuYp/JPRPiYVbQzxJB GYAAn3LTLvQ0u0QduUaV0d+c3iMa8r4K =fcW9 -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Further thoughts on Windows Install
david wrote: > Hi All, > > installing GnuPG Enigmail on pro 2000 I have to import files from this > linux laptop - are file conventions the same? At present. This may change in some future version of GnuPG > (a) put linux hard drive on usb and scan for keys public and private via > enigmail or gui for gnupg > > b) copy just the folder of gnupg to usb and scan that > > (c) can I just copy directory to win 2000 hard drive? > > Any advice copying/importing between microsoft o/s and linux would be > helpful :) Copy the files from ~/.gnupg on your linux box to USB. You should have at minimum, pubring.gpg, secring.gpg, trustdb.gpg, and optionally gpg.conf. On Windows machine, copy all of the above files to %APPDATA%\GnuPG. APPDATA is an environment variable you may reference at a command prompt. You may also enter %APPDATA% into Explorer's Address bar and it will handle expanding things. APPDATA mormally expands to C:\Documents and Settings\\Application Data\ -- John P. Clizbe Inet:John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. hkp://keyserver.gingerbear.net or mailto:pgp-public-k...@gingerbear.net?subject=help Q:"Just how do the residents of Haiku, Hawai'i hold conversations?" A:"An odd melody / island voices on the winds / surplus of vowels" signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
