Re: Use other hash than SHA-1
On Friday 08 May 2009 02:09:31 David Shaw wrote: > One fear that I've seen talked about for SHA-1 is that an attacker can > create a duplicate document such that if you signed document or key A, > they could come up with a document or key B that your signature would > equally apply to. That fear is more than a little overblown. Even > MD5 hasn't been broken to that extent. http://eprint.iacr.org/2005/067.pdf As far as I understand this paper, MD5 has been broken to that extent. For SHA1 you're still right of course. Raimar signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Use other hash than SHA-1
On Friday 08 May 2009 09:14:27 Raimar Sandner wrote: > On Friday 08 May 2009 02:09:31 David Shaw wrote: > > One fear that I've seen talked about for SHA-1 is that an attacker can > > create a duplicate document such that if you signed document or key A, > > they could come up with a document or key B that your signature would > > equally apply to. That fear is more than a little overblown. Even > > MD5 hasn't been broken to that extent. > > http://eprint.iacr.org/2005/067.pdf > > As far as I understand this paper, MD5 has been broken to that extent. For > SHA1 you're still right of course. http://eprint.iacr.org/2009/111.pdf Sorry, this is the reference I meant... even more impressive :) signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Use other hash than SHA-1
On May 8, 2009, at 3:26 AM, Raimar Sandner wrote: On Friday 08 May 2009 09:14:27 Raimar Sandner wrote: On Friday 08 May 2009 02:09:31 David Shaw wrote: One fear that I've seen talked about for SHA-1 is that an attacker can create a duplicate document such that if you signed document or key A, they could come up with a document or key B that your signature would equally apply to. That fear is more than a little overblown. Even MD5 hasn't been broken to that extent. http://eprint.iacr.org/2005/067.pdf As far as I understand this paper, MD5 has been broken to that extent. For SHA1 you're still right of course. http://eprint.iacr.org/2009/111.pdf Sorry, this is the reference I meant... even more impressive :) That's a different sort of attack. In the rogue CA attack, the attackers generated both A *and* B themselves. They then arranged to have A signed, and were then able to reveal B as if it had also been signed (massive oversimplification, of course, as there was a huge amount of work involved in even making that work, but the point here is that the attackers generated both A and B themselves). It's a collision attack. This attack (which again I must stress does not yet exist for SHA-1) is one of the reasons why it's a good idea to switch to SHA-256 for new signatures. That's just prudent. There is no current attack, however, against any hash algorithm in OpenPGP, that would allow an attacker to pick some arbitrary signature out there and generate a key or document that hashes to the same value. This is a preimage attack, either variant of which could be used against OpenPGP, but neither of them currently exist - not in MD5, and certainly not in SHA-1. This (lack of) an attack is why I don't think people need to worry all that much about their existing signatures that are out there. David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
GPG Confirmation
I was given a new key to use with our partner for encryption. Previously, the key was working fine. I removed all keys and then imported our key and then the partner's key. I set trust to ultimate. The encryption works but I now get a confirmation message.How can I get rid of this confirmation message so I can batch my encryption ? -- View this message in context: http://www.nabble.com/GPG-Confirmation-tp23447277p23447277.html Sent from the GnuPG - User mailing list archive at Nabble.com. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
delete bad UID from key on keyserver?
Hi, One of my email accounts is unusable so I deleted the UID from my key and uploaded it to the keyserver. That accomplished nothing so now I figured out I should of invalidated the UID and then uploaded it. I can't do that now because I deleted the UID from my key. I have to get rid of this email address from my key or people will continue mailing me and I won't get the mails. Is there some way I can delete this UID from my key on the keyserver. I figured to try to add the identical UID back and then invalidate it and then upload the key but before I screwup again I figured to ask here. Thank you. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
gpg: WARNING: standard input reopened
Hello I was just wondering , can I fix this ? RPM version 4.4.2.3 gnupg-1.4.5-14.x86_64 CentOS 5.3 x86_64 kernel : 2.6.18-128.1.10.el5 rpmbuild -bb Documents/Rpm/Spec/q7z-64.spec --sign Generating signature: 1005 gpg: WARNING: standard input reopened gpg: WARNING: standard input reopened Have a good day! Patrick. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: delete bad UID from key on keyserver?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Anonymous Remailer wrote: > One of my email accounts is unusable so I deleted the UID from my key > and uploaded it to the keyserver. That accomplished nothing so now I > figured out I should of invalidated the UID and then uploaded it. I > can't do that now because I deleted the UID from my key. > > I have to get rid of this email address from my key or people will > continue mailing me and I won't get the mails. Is there some way I can > delete this UID from my key on the keyserver. I figured to try to add > the identical UID back and then invalidate it and then upload the key > but before I screwup again I figured to ask here. Thank you. Ahem Refresh Your Key from the Keyserver and then Revoke the UID which You will have fetched from the Keyserver. Then Upload the Key with the Revoked UID on it. Then Clean Your Key in Your Keyring and be prepared to repeat having to deluid every time Your Key is either returned to You signed because the revoked UID will forever remain on the Server. For this reason many folks prefer to maintain a Listing on Big Lumber or a Personal Web Page because only that way can You control exactly how the Key is retrieved by Others. HTH JOHN ;) Timestamp: Friday 08 May 2009, 15:44 --400 (Eastern Daylight Time) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10-svn4995: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: https://www.gswot.org Comment: Homepage: http://tinyurl.com/yzhbhx iQEcBAEBCgAGBQJKBIvJAAoJEBCGy9eAtCsP3HsH/2Gec8jz1JA5iPcABwckiT10 alEwOt/jHsLu5oB13+6loh16yB44iueIiOrZPRIChjOICNFSB17XyMggK4nUXBQl PMmJZRraSwuzD1pjtWMmSUZ9HhreqvpmKd0usDFRu53KZLawuIYiLzvL0Vp4rakl GNAdTNwSvcaE07JAgVNrIpegnXU04A0bCuyV1nDym06zjeJb4bVYlbpNoq+JG4gB Wlas3Lo0eno/xKfgvzfeiWQTov3SrlApBDB/ikVfIPcEjdPMTdWTIQZ24GP1mCB8 lusK2QFDd64SFDko5Igx7AEzQAaEOOURLzoLJ9a3QAyn+3GEXkvZM4SQVDS6nxo= =Sm8l -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: delete bad UID from key on keyserver?
Anonymous Remailer wrote: > Hi, > > One of my email accounts is unusable so I deleted the UID from my key > and uploaded it to the keyserver. That accomplished nothing so now I > figured out I should of invalidated the UID and then uploaded it. I > can't do that now because I deleted the UID from my key. You cannot delete information from the keyservers. This is by design. > I have to get rid of this email address from my key or people will > continue mailing me and I won't get the mails. Is there some way I > can delete this UID from my key on the keyserver. I figured to try to > add the identical UID back and then invalidate it and then upload the > key but before I screwup again I figured to ask here. Thank you. Do not try adding a new uid with the same email. That will give you two copies of that address. Refresh your key from a keyserver. This will restore the UID you thought you could delete: gpg --keyserver pool.sks-keyservers.net -refresh-keys 0xdecafbad now use gpg to revoke the UID gpg --edit-key 0xdecafbad gpg displays a list of UIDs on the key. Enter the number of the UID you wish to revoke. The list is redisplayed with an * next to the selected one. now use the gpg command revuid to revoke: Command> revuid Really revoke this user ID? (y/N) y Please select the reason for the revocation: 0 = No reason specified 4 = User ID is no longer valid Q = Cancel (Probably you want to select 4 here) Your decision? 4 Answer the passphrase prompt and 'save' to update your keyring with the modified key. Now send the key with revoked UID to the keyservers gpg --keyserver pool.sks-keyservers.net -send-keys 0xdecafbad -- John P. Clizbe Inet:John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. hkp://keyserver.gingerbear.net or mailto:pgp-public-k...@gingerbear.net?subject=help Q:"Just how do the residents of Haiku, Hawai'i hold conversations?" A:"An odd melody / island voices on the winds / surplus of vowels" signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Cannot Decryption via UNIX shell script
Hi All, I hit error when using the below script. gpg -e "key" "file" <___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg: WARNING: standard input reopened
On May 8, 2009, at 3:16 PM, Patrick Mabie wrote: Hello I was just wondering , can I fix this ? RPM version 4.4.2.3 gnupg-1.4.5-14.x86_64 CentOS 5.3 x86_64 kernel : 2.6.18-128.1.10.el5 rpmbuild -bb Documents/Rpm/Spec/q7z-64.spec --sign Generating signature: 1005 gpg: WARNING: standard input reopened gpg: WARNING: standard input reopened It's a old bug in RPM, but it was fixed a long time ago. https://bugzilla.redhat.com/show_bug.cgi?id=197602 The fix is to upgrade your version of RPM. In the meantime, you can ignore the error. It's harmless in the RPM case. David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GPG Confirmation
On May 8, 2009, at 10:37 AM, jnhemley wrote: I was given a new key to use with our partner for encryption. Previously, the key was working fine. I removed all keys and then imported our key and then the partner's key. I set trust to ultimate. The encryption works but I now get a confirmation message.How can I get rid of this confirmation message so I can batch my encryption ? You need to tell GPG that your partner's key is valid. To do this: gpg -u my-key --lsign-key my-partner-key Then set 'my-key' to ultimate trust if you haven't done that already. David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Cannot Decryption via UNIX shell script
On Wed, 6 May 2009 20:11:27 Bob Yang wrote: > Hi All, > > I hit error when using the below script. > > gpg -e "key" "file" < yes > EOF > > Error: > It is NOT certain that the key belongs to the person named > in the user ID. If you *really* know what you are doing, > you may answer the next question with yes > > Use this key anyway? > > Does anyone come across this before? > > Thanks, > Bob You must sign that recipient's public key with your private key. Do this only after verifying that the public key does indeed belong to the intended recipeint. For example, don't blindly sign a key that says bill.ga...@microsoft.com is you are not sure that the key belongs to Bill Gates. It may belong to "me" and I will have the private key to decrypt any messages that you send (of course, I do not have an email address at domain microsoft.com). Also, if you choose "file" (as you have in your script) there is no need to provide standard input (as you wrote < signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
