Using gpg-groups in gnome?
Hello does anybody here know a possibility to use gpg key-groups under gnome? groups defined in the gpg.conf (e.g. group mygroupname = 0x9DB0 0x9540) do not show up in nautilus' seahorse extension. kgpg is capable of dealing with groups, but as it is a KDE-application it ist not usable via the nautilus context menu. best regards Pete ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Help with decrypting gpg file
On Aug 27, 2009, at 10:36 AM, John Betz wrote: I appreciate the offer David, but I don't have PowerArchiver so I can't create a sample input file. The file I am trying to decrypt is coming from another source so I would have to get them involved in order to create a sample archive file. Because WinZip is compatible, I am able to open with PGP and then extract the individual files. The problem is specifically with GPG - and I am using that because PGP doesn't run in batch mode. My original thought was that there must be something I was doing wrong when decrypting the file, but based on the feedback I am getting, and my review of available commands and options I doubt that is the issue. Try 'gpg --list-packets thefile'. What does that return? David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
changing key expiration
Hi gnupg-users! I changed my expiration with --edit-key expire from never to 3y and uploaded the key. Then I changed it to 5y and uploaded the key. Now the uploaded key has several self signatures and expiration dates on http://pgp.mit.edu:11371/pks/lookup?op=vindexsearch=0xF732FBF3E4219D48 Type bits/keyID cr. time exp time key expir pub 1024D/E4219D48 2004-12-19 uid Bernhard Kuemel bernh...@bksys.at sig sig3 E4219D48 2004-12-19 __ __ [selfsig] sig sig3 1D503977 2008-08-13 __ __ Mathias Ertl m...@fsinf.at sig sig3 E4219D48 2009-08-27 __ 2012-08-26 [selfsig] sig sig3 E4219D48 2009-08-27 __ 2014-08-26 [selfsig] uid Bernhard Kümel bernh...@bksys.at sig sig3 E4219D48 2009-08-27 __ 2012-08-26 [selfsig] sig sig3 E4219D48 2009-08-27 __ 2014-08-26 [selfsig] sub 1024g/0A5FA7F8 2004-12-19 sig sbind E4219D48 2004-12-19 __ __ [] It appears the key expiration is part of the signatures. Will the most recent signature have the effective expiration date? I downloaded the key so I could revoke the unwanted signatures. --list-packets hast 'expires 0' in the key packet and expiry dates in the signature packets: bernh...@be:~/.gnupg$ gpg --export bernh...@bksys.at|gpg --list-packets :public key packet: version 4, algo 17, created 1103422098, expires 0 pkey[0]: [1024 bits] pkey[1]: [160 bits] pkey[2]: [1021 bits] pkey[3]: [1020 bits] :user ID packet: Bernhard Kuemel bernh...@bksys.at :signature packet: algo 17, keyid F732FBF3E4219D48 version 4, created 1251390038, md5len 0, sigclass 0x13 digest algo 2, begin of digest 18 a8 hashed subpkt 27 len 1 (key flags: 03) hashed subpkt 11 len 5 (pref-sym-algos: 9 8 7 3 2) hashed subpkt 21 len 2 (pref-hash-algos: 2 3) hashed subpkt 22 len 2 (pref-zip-algos: 2 1) hashed subpkt 30 len 1 (features: 01) hashed subpkt 23 len 1 (key server preferences: 80) hashed subpkt 2 len 4 (sig created 2009-08-27) hashed subpkt 9 len 4 (key expires after 9y252d14h12m) subpkt 16 len 8 (issuer key ID F732FBF3E4219D48) data: [157 bits] data: [159 bits] :signature packet: algo 17, keyid 3BD759FD1D503977 version 4, created 1218642819, md5len 0, sigclass 0x13 digest algo 2, begin of digest 6b 8a hashed subpkt 2 len 4 (sig created 2008-08-13) subpkt 16 len 8 (issuer key ID 3BD759FD1D503977) data: [159 bits] data: [160 bits] :signature packet: algo 17, keyid F732FBF3E4219D48 version 4, created 1103422098, md5len 0, sigclass 0x13 digest algo 2, begin of digest cf ec hashed subpkt 2 len 4 (sig created 2004-12-19) hashed subpkt 27 len 1 (key flags: 03) hashed subpkt 11 len 5 (pref-sym-algos: 9 8 7 3 2) hashed subpkt 21 len 2 (pref-hash-algos: 2 3) hashed subpkt 22 len 2 (pref-zip-algos: 2 1) hashed subpkt 30 len 1 (features: 01) hashed subpkt 23 len 1 (key server preferences: 80) subpkt 16 len 8 (issuer key ID F732FBF3E4219D48) data: [159 bits] data: [158 bits] :signature packet: algo 17, keyid F732FBF3E4219D48 version 4, created 1251389374, md5len 0, sigclass 0x13 digest algo 2, begin of digest 7d 2b hashed subpkt 27 len 1 (key flags: 03) hashed subpkt 11 len 5 (pref-sym-algos: 9 8 7 3 2) hashed subpkt 21 len 2 (pref-hash-algos: 2 3) hashed subpkt 22 len 2 (pref-zip-algos: 2 1) hashed subpkt 30 len 1 (features: 01) hashed subpkt 23 len 1 (key server preferences: 80) hashed subpkt 2 len 4 (sig created 2009-08-27) hashed subpkt 9 len 4 (key expires after 7y252d14h1m) subpkt 16 len 8 (issuer key ID F732FBF3E4219D48) data: [160 bits] data: [159 bits] :user ID packet: Bernhard K\xc3\xbcmel bernh...@bksys.at :signature packet: algo 17, keyid F732FBF3E4219D48 version 4, created 1251390042, md5len 0, sigclass 0x13 digest algo 2, begin of digest aa b4 hashed subpkt 27 len 1 (key flags: 03) hashed subpkt 11 len 5 (pref-sym-algos: 9 8 7 3 2) hashed subpkt 21 len 3 (pref-hash-algos: 2 8 3) hashed subpkt 22 len 3 (pref-zip-algos: 2 3 1) hashed subpkt 30 len 1 (features: 01) hashed subpkt 23 len 1 (key server preferences: 80) hashed subpkt 2 len 4 (sig created 2009-08-27) hashed subpkt 9 len 4 (key expires after 9y252d14h12m) subpkt 16 len 8 (issuer key ID F732FBF3E4219D48) data: [160 bits] data: [159 bits] :signature packet: algo 17, keyid F732FBF3E4219D48 version 4, created 1251389370, md5len 0, sigclass 0x13 digest algo 2, begin of digest 44 14 hashed subpkt 27 len 1 (key flags: 03) hashed subpkt 11 len 5 (pref-sym-algos: 9 8 7 3 2) hashed subpkt 21 len 3 (pref-hash-algos: 2 8 3)
Re: changing key expiration
Daniel Kahn Gillmor wrote: Hi Berhnard-- On 08/27/2009 01:36 PM, Bernhard Kuemel wrote: It appears the key expiration is part of the signatures. Will the most recent signature have the effective expiration date? yes, the most recent certification made by the same issuer on a given subject is considered to supercede all other signatures by the same issuer over that subject (in your case, this is a self-signature, so the issuer is the same as the subject). Ok, great. Could I also sign my key after it expired with a new expiration period to revive it? Bernhard ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: changing key expiration
Hi Berhnard-- On 08/27/2009 01:36 PM, Bernhard Kuemel wrote: It appears the key expiration is part of the signatures. Will the most recent signature have the effective expiration date? yes, the most recent certification made by the same issuer on a given subject is considered to supercede all other signatures by the same issuer over that subject (in your case, this is a self-signature, so the issuer is the same as the subject). --edit-key revsig only shows me the date when the signatures were made, but it is the same for the last 2 recently made signatures. How can I tell them apart? A revocation of the User ID from your Key with timestamp X will effectively revoke *any* certification over the Key/User ID pair with a timestamp X. So even if you were to issue a revocation of an earlier signature, if the timstamp of your revocation happens to post-date a signature you wanted to keep, it would be effectively invalidated by the same revocation. At least, this is how gpg appears to interpret the spec, and it seems to be the only reasonable interpretation. So the answer is: you don't need to issue a revocation for the earlier certifications; they're already superceded by the new certification you made. And it could be actively harmful to try to issue a revocation even for the first one (which you *can* distinguish by date) because the revocation will effectively clobber *any* certification over the same key/user ID made prior to the revocation. If i've made any mistakes above, i hope someone will step in and correct me! hth, --dkg signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Using gpg-groups in gnome?
On Thursday 27 August 2009, debianfeed wrote: Hello does anybody here know a possibility to use gpg key-groups under gnome? groups defined in the gpg.conf (e.g. group mygroupname = 0x9DB0 0x9540) do not show up in nautilus' seahorse extension. kgpg is capable of dealing with groups, but as it is a KDE-application it ist not usable via the nautilus context menu. I doubt very much that kgpg cannot be added to the Nautilus context menu. I'm pretty sure any application can be added to the Nautilus context menu. It's a common and hard to kill misconception that just because an application is based on the KDE libraries it does not work in Gnome and vice-versa. Regards, Ingo signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: changing key expiration
On 08/27/2009 03:30 PM, Bernhard Kuemel wrote: Ok, great. Could I also sign my key after it expired with a new expiration period to revive it? Yes, i'm pretty sure you can do this, but i always take pains to try to update the expiration date *before* it passes ;) --dkg signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: changing key expiration
On Thu, Aug 27, 2009 at 07:36:02PM +0200, Bernhard Kuemel wrote: I changed my expiration with --edit-key expire from never to 3y and uploaded the key. Then I changed it to 5y and uploaded the key. Now the uploaded key has several self signatures and expiration dates on http://pgp.mit.edu:11371/pks/lookup?op=vindexsearch=0xF732FBF3E4219D48 It appears the key expiration is part of the signatures. Will the most recent signature have the effective expiration date? Yes: %gpg --with-fingerprint --with-fingerprint --check-sigs E4219D48 pub 1024D/E4219D48 2004-12-19 [expires: 2014-08-26] Key fingerprint = E18F BF4D 0EE2 6522 E950 A06A F732 FBF3 E421 9D48 uid Bernhard K?mel bernh...@bksys.at sig!3E4219D48 2009-08-27 Bernhard K?mel bernh...@bksys.at sig!3E4219D48 2009-08-27 Bernhard K?mel bernh...@bksys.at uid Bernhard Kuemel bernh...@bksys.at sig!3E4219D48 2004-12-19 Bernhard K?mel bernh...@bksys.at sig!3E4219D48 2009-08-27 Bernhard K?mel bernh...@bksys.at sig!3E4219D48 2009-08-27 Bernhard K?mel bernh...@bksys.at sub 1024g/0A5FA7F8 2004-12-19 Key fingerprint = A5C7 D8D4 3C01 9925 15B3 6310 04CE 1D3C 0A5F A7F8 sig! E4219D48 2004-12-19 Bernhard K?mel bernh...@bksys.at 1 signature not checked due to a missing key I downloaded the key so I could revoke the unwanted signatures. That isn't really necessary - it will just clutter your key and the keyservers. -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jhar...@widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 pgpgcpWWuy4Ut.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
rotating encryption sub keys
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Would it be considered a best practice to rotate encryption subkeys on an annual basis, or would that be considered overkill for most uses? I realize that messages are encrypted using ephemeral session keys which in turn are encrypted with public keys. Considering the small amount of data (i.e. sessions keys) being encrypted using public keys, are ciphertext attacks really even feasible? -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (Darwin) iQEcBAEBCAAGBQJKlwLJAAoJEFGV1jrNVRjHpJUIAJ6Cv9cFXkNmSiXFjbxKlWjJ TylQ+LDtLCwaauHVTO+hP7V557UoP5eGuB3KyD1G5Cp+4Ec3yD/vUhh8XkidEgqH jSRQpvabpAvQL96i4IBvxMXG8s+uKtLfxf7NMNYeqSte/q7+kK+r1VGmunb0ukLO +m+lRus94784NHx+ivcb21gmtozLEzvZi/Y3kOu8ZK/lAnUHYFsqK6H0hFYiXcEw I1+Wk7iggDFcuS0GcWldlbiq70W+8477mlgyKAq1bTzEzZuOEf/vgXcr+/iQtk++ hZZlvBhYcsme0NFYWBXI/hrkvAfq3pJp0wcnNf+BaTYtFBemHcd4IecvWj8KC4w= =9z+z -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: rotating encryption sub keys
On 08/27/2009 06:03 PM, Joseph Oreste Bruni wrote: Would it be considered a best practice to rotate encryption subkeys on an annual basis, or would that be considered overkill for most uses? There almost certainly exist people for whom this is a good idea. That said, I've never met 'em. It seems to be massive overkill. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: rotating encryption sub keys
On Aug 27, 2009, at 6:03 PM, Joseph Oreste Bruni wrote: Would it be considered a best practice to rotate encryption subkeys on an annual basis, or would that be considered overkill for most uses? It depends on what you're trying to do. :) I realize that messages are encrypted using ephemeral session keys which in turn are encrypted with public keys. Considering the small amount of data (i.e. sessions keys) being encrypted using public keys, are ciphertext attacks really even feasible? Not really, no. I wouldn't rotate encryption keys for that reason, but there are other reasons that might be more useful for you. For example, if, when you make a new subkey, you also destroy the old one, you give yourself forward security. All messages that were encrypted to the earlier key cannot be decrypted by anyone (including you). At an extreme, you could use a new encryption subkey per-message (something which the keyserver operators would no doubt be thrilled about). This is not generally useful, though, as most people do want the ability to go back and review their old messages. Incidentally, there have been proposals to add forward security extensions to OpenPGP. See http://www.apache-ssl.org/openpgp-pfs.txt David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users