Re: auto refresh-keys
On 06/18/10 12:42, David Shaw wrote: The danger here is that it might take a long time (minutes+) to realize that the keyserver and/or network wasn't going to cooperate. This could seriously slow down many GPG operations. I've been following this discussion with interest as I've seen problems related to others not updating keys in the past. However I think David has identified the same 2 critical problems that I did, non-trivial amounts of modifications to the keyserver network, and the one he mentions above. Personally I think better education for users about the importance of refreshing their keys is a better way to go. The idea that has been percolating in my brain is a warning message of some sort when gpg accesses a key that hasn't been refreshed in $PERIOD. If I understand the keybox idea properly it should be possible to store the "last refreshed" time in a format that gpg can easily deal with in line, so hopefully adding a warning won't be too difficult if that's desirable. Doug -- ... and that's just a little bit of history repeating. -- Propellerheads Improve the effectiveness of your Internet presence with a domain name makeover!http://SupersetSolutions.com/ ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Multiple signatures
Robert J. Hansen rjh at sixdemonbag.org wrote on Fri Jun 18 14:13:56 CEST 2010 : >> I would like to know if there is a way to add multiple >signatures for a >> file (in a separate file) and check who signed with just one >command (so >> not by signing a signed file...). > > >gpg --armor -u signer -u signer2 -u signer3 --clearsign filename > >Warning: these signatures will break old versions of PGP. 6.5.8 >and the >6.5.8CKT builds will crash when trying to verify them. no. 6.5.8 and 6.5.8 ckt will crash only when trying to verify multiple signatures of the same text when *clearsigned*. Verifying 'Multiple simultaneous signatures' done in armored signed format, or in signed and encrypted format, or as detached signatures, will not cause any problem for 6.5.8, 6.5.8 ckt, or 6.5.8 commandline. vedaal ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: auto refresh-keys
On Jun 14, 2010, at 7:58 PM, MFPA wrote: > On Monday 14 June 2010 at 5:50:32 PM, in > , Daniel Kahn Gillmor wrote: > > >> Network or keyserver failures during an auto-refresh >> should be accepted and the rest of the operation should >> continue (though the last-refreshed time shouldn't be >> updated). > >> What if the network and keyserver are both available, >> but the keyserver has never heard of the key in >> question? > > Same as Network or keyserver failure: there is no available > auto-update, so warn and continue with the requested operations. The danger here is that it might take a long time (minutes+) to realize that the keyserver and/or network wasn't going to cooperate. This could seriously slow down many GPG operations. David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Scute: sec_error_pkcs11_function_failed (was Re: Crypto Stick released!)
On 05/03/2010 10:17 AM, Joke de Buhr wrote: > I'm using Ubuntu lucid (amd64) with firefox 3.6.3. > > On Monday 03 May 2010 15:49:35 Werner Koch wrote: >> On Mon, 3 May 2010 12:22, j...@seiken.de said: >>> selecting my key I always get this firefox error message >>> "sec_error_pkcs11_function_failed". >> >> Okay we need to check this. This should really work. I can report that I also experience this problem with Ubuntu lucid i386 and Scute 1.2. Slightly related: is there a reason that Scute-1.4 is not listed on the download page at http://www.scute.org/download.xhtml ? Thanks —Alex Mauer “hawke” signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: auto refresh-keys
On Jun 14, 2010, at 12:50 PM, Daniel Kahn Gillmor wrote: > On 06/04/2010 01:35 PM, Micah Anderson wrote: >> It seems like the best solution would be to build into gnupg the >> functionality >> that is similar to the automatic trust database operation: have gpg >> auto-refresh >> from the configured keyserver periodically. > > I think something like this would be a good idea. I've found that many > users (even sophisticated users) of GnuPG never refresh their keyrings > manually, which means that they use a good strong tool to (for example) > encrypt messages to known-revoked keys (in a recent case, to a key whose > revocation certificate was published over 2½ years ago). When I wrote the new keyserver stuff, I thought about this sort of thing, but the lack of a good way to store metadata was a problem (the keybox fixes this), as well as the concern that keyservers are effective trackers of who is using what key. For example, a keyserver operator could tell (based on how often which keys were refreshed), who your encrypted correspondents were, in rough frequency-of-communication order, to boot. This doesn't necessarily make it a bad idea, of course - for some people, the benefits outweigh the disadvantages. It should be something users would have to elect to turn on, rather than having it turned on by default, though. I'd want to hear from the keyserver community about this. It's easy to talk about improving behavior, but they're running a free public service out of the kindness of their hearts. This client-side change could mean a rather significant increase in the amount of bandwidth their free service consumes. Some other useful client-side optimizations require the keyservers to actually do crypto (rather than be the easier packet stores), which requires a pretty dramatic change in the keyservers themselves. David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Uninstall
Hi there, for a Test i installed GPG on MacOsX 5.8, so far so good, works fine, thank you Guys btw. for that nice Work. But now i hang there and im not able to uninstall the hole thing. Can someone tell me a workthrough, cause im not so close to Procedures that be probable neccessary to it. Best wishes from Germany Andy ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: AUTO: Richard Hamilton is out of the office (returning 06/24/2010)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 18/06/2010 14:24, David Smith wrote: > Jean-David Beyer wrote: >> David Smith wrote: >>> Mailing lists programs normally send mails with the "Precedence: bulk" >>> or "Precedence: junk" header, and then the autoresponder should >>> recognise this and choose not to respond to mails with the "bulk" or >>> "junk" precedence header. It is up to the autoresponder to act correctly. >>> >> Well, the stuff I get from the Gnupg-users@gnupg.org list has >> "precedence: list" set. Other lists to which I subscribe use "Precedence >> normal" or "precedence: bulk". Regular e-mail does not have precedence >> set at all. It seems to me that mailing lists should get their acts >> together. > > OK, Maybe "Precedence: list" is also a valid implementation; I haven't > looked in detail at the RFQs, etc. - I was just typing from memory. The > basic method of operation is the same, though - the MLM marks the > message as a mailing list message using the "Precedence" header, and the > autoresponder interprets this header when deciding whether to respond. > Many years ago I used to maintain the Linux vacation and one of the checks it did was to check for the existence of the Precedence header. We also started to add support for Mailman listheaders. Any decently written OOF/vacation should be able to ignore most mailing lists Sean - -- GSWoT and CaCert WOT Assurer http://www.google.com/profiles/thecivvie .tel http://rima.tel/ I believe that every human has a finite number of heartbeats. I don't intend to waste any of mine running around doing exercises. - Neil Armstrong -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.14 (MingW32) Comment: Gossamer Spider Web of Trust: http://www.gswot.org Comment: Contact Details http://rima.tel Comment: My GPG Key http://thecivvie.fastmail.fm/sean.pubkey.txt iHIEAREIADIFAkwbdZErFIAAFQANcGthLWFkZHJlc3NAZ251cGcub3Jnc2Vh bkBzcmltYS5ldQAKCRDJ1+LfaIt9mCNgAJ4m68Bnco+1kptidhnaoG43GriaVgCf VueIW/P8HxhPvPs3gbcqxc/QKfI= =dQ1J -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: AUTO: Richard Hamilton is out of the office (returning 06/24/2010)
Jean-David Beyer wrote: > Well, the stuff I get from the Gnupg-users@gnupg.org list has > "precedence: list" set. Other lists to which I subscribe use "Precedence > normal" or "precedence: bulk". Regular e-mail does not have precedence > set at all. It seems to me that mailing lists should get their acts > together. Just checked the relevant RFC (3834), and it says (rather unhelpfully): (Because Precedence is not a standard header field, and its use and interpretation vary widely in the wild, no particular responder behavior in the presence of Precedence is recommended by this specification.) ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Multiple signatures
> On Jun 17, 2010, at 11:33 PM, Boris wrote: > > > Hi, > > > > I would like to know if there is a way to add multiple signatures for a > > file (in a separate file) and check who signed with just one command (so > > not by signing a signed file...). > > Sure. > > gpg -u signer_1 -u signer_2 -u signer_3 --detach-sign file-to-sign > > You'll end up with a file-to-sign.sig that contains all three signatures. > When you verify file-to-sign.sig, all three signatures will be checked. > > Alternately, you can do the same "multiple signer" trick with regular --sign > if you want the data and signatures to be put together into a single file. On Jun 18, 2010, at 9:14 AM, Boris wrote: > Ok, Thanks David, > > But what if the file is signed by people working on different computers? > So they will had their signature on the current separate file (correesponding > to the people who already signed a specific file). If you want a bunch of people all signing the same file, have each signer do this: gpg -u signer-X -o signer-X-signature --detach-sign file-to-sign Then have them all send you their "file-to-sign.sig" files. You create a file containing all of them: cat signer-1-signature signer-2-signature signer-3-signature > file-to-sign.sig Then anyone can verify file-to-sign.sig against the original file-to-sign and see all the signatures verified. David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: AUTO: Richard Hamilton is out of the office (returning 06/24/2010)
Jean-David Beyer wrote: > David Smith wrote: >> Mailing lists programs normally send mails with the "Precedence: bulk" >> or "Precedence: junk" header, and then the autoresponder should >> recognise this and choose not to respond to mails with the "bulk" or >> "junk" precedence header. It is up to the autoresponder to act correctly. >> > Well, the stuff I get from the Gnupg-users@gnupg.org list has > "precedence: list" set. Other lists to which I subscribe use "Precedence > normal" or "precedence: bulk". Regular e-mail does not have precedence > set at all. It seems to me that mailing lists should get their acts > together. OK, Maybe "Precedence: list" is also a valid implementation; I haven't looked in detail at the RFQs, etc. - I was just typing from memory. The basic method of operation is the same, though - the MLM marks the message as a mailing list message using the "Precedence" header, and the autoresponder interprets this header when deciding whether to respond. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: AUTO: Richard Hamilton is out of the office (returning 06/24/2010)
David Smith wrote: > Jean-David Beyer wrote: >> If I understand correctly, this is done by setting the precedence of the >> vacation e-mail to "bulk" instead of something else ("list"?), and that >> mailing list programs do not send the stuff marked bulk. >> >> Is that not how mailing list programs work? > > > Not quite. > > Mailing lists programs normally send mails with the "Precedence: bulk" > or "Precedence: junk" header, and then the autoresponder should > recognise this and choose not to respond to mails with the "bulk" or > "junk" precedence header. It is up to the autoresponder to act correctly. > Well, the stuff I get from the Gnupg-users@gnupg.org list has "precedence: list" set. Other lists to which I subscribe use "Precedence normal" or "precedence: bulk". Regular e-mail does not have precedence set at all. It seems to me that mailing lists should get their acts together. -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 09:10:01 up 42 days, 17:05, 3 users, load average: 4.63, 4.80, 4.74 signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Multiple signatures
On Jun 17, 2010, at 11:33 PM, Boris wrote: > Hi, > > I would like to know if there is a way to add multiple signatures for a file > (in a separate file) and check who signed with just one command (so not by > signing a signed file...). Sure. gpg -u signer_1 -u signer_2 -u signer_3 --detach-sign file-to-sign You'll end up with a file-to-sign.sig that contains all three signatures. When you verify file-to-sign.sig, all three signatures will be checked. Alternately, you can do the same "multiple signer" trick with regular --sign if you want the data and signatures to be put together into a single file. David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Multiple signatures
On 6/17/10 11:33 PM, Boris wrote: > Hi, > > I would like to know if there is a way to add multiple signatures for a > file (in a separate file) and check who signed with just one command (so > not by signing a signed file...). gpg --armor -u signer -u signer2 -u signer3 --clearsign filename Warning: these signatures will break old versions of PGP. 6.5.8 and the 6.5.8CKT builds will crash when trying to verify them. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: AUTO: Richard Hamilton is out of the office (returning 06/24/2010)
Jerry wrote: > On Thu, 17 Jun 2010 16:04:41 -0600 > I was just stating to a colleague that it had been months since an > errant "vacation" message had been posted on this forum. Well, thanks > to Bob, that drought has been quenched. With the summer season now > upon us and vacations becoming the norm, I rest assured that more such > individuals will be advising us of their schedule. > > Then again, maybe, just maybe, this might be a good time for all of us > to check that we have our mail programs, be them what they may, > properly configured so as to not pollute forums with useless > OOF/vacation garbage announcements. > If I understand correctly, this is done by setting the precedence of the vacation e-mail to "bulk" instead of something else ("list"?), and that mailing list programs do not send the stuff marked bulk. Is that not how mailing list programs work? -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 08:20:01 up 42 days, 16:15, 3 users, load average: 4.65, 4.81, 4.56 signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Help adding IDEA within GnuPG 2.0.9
Hi group, I am trying to include support for IDEA within GnuPG 2.0.9 running under Linux. I have downloaded the idea.c module via the link on this page: http://www.gnupg.org/faq/why-not-idea.html, have compiled it and have added the load-extension /idea statement to my conf file in ~/.gnupg/gpg.conf But it does not seem to load IDEA support anyway. I have placed the idea module in the ~/.gnupg/ folder - could that be the problem ? I have verified on another server - with GnuPG 1.4.10 installed - that here the IDEA support actually gets added with this setup. The "gpg --load-extension /idea -v --version" command within GnuPG 2.0.9 yields the following: ba...@psdkxd02:~/.gnupg> gpg --load-extension /usr/local/ps/batch/.gnupg/idea -v --version gpg (GnuPG) 2.0.9 Copyright (C) 2008 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later < http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Home: ~/.gnupg Supported algorithms: Pubkey: RSA, ELG, DSA Cipher: 3DES (S2), CAST5 (S3), BLOWFISH (S4), AES (S7), AES192 (S8), AES256 (S9), TWOFISH (S10) Hash: MD5 (H1), SHA1 (H2), RIPEMD160 (H3), SHA256 (H8), SHA384 (H9), SHA512 (H10), SHA224 (H11) Compression: Uncompressed (Z0), ZIP (Z1), ZLIB (Z2), BZIP2 (Z3) Used libraries: gcrypt(1.4.1) Any help will be greatly appreciated. Regards, Palle Medmindre andet er angivet ovenfor: / Unless Otherwise Stated Above: IBM Danmark ApS Nymøllevej 91 2800 Kongens Lyngby, Danmark CVR nr.: 65305216 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: AUTO: Richard Hamilton is out of the office (returning 06/24/2010)
On Thu, 17 Jun 2010 16:04:41 -0600 Richard Hamilton articulated: > I am out of the office until 06/24/2010. > > I am out of the office until Thursday June 24th. If this is a > production problem, please call the solution center at 918-573-2336 > or email Bob Olson at robert.ol...@williams.com. I will have limited > mail and cell phone access. > > > Note: This is an automated response to your message "Re: Can we use > GNUPG with PGP for commercial use" sent on 6/17/10 10:21:32. > > This is the only notification you will receive while this person is > away. I was just stating to a colleague that it had been months since an errant "vacation" message had been posted on this forum. Well, thanks to Bob, that drought has been quenched. With the summer season now upon us and vacations becoming the norm, I rest assured that more such individuals will be advising us of their schedule. Then again, maybe, just maybe, this might be a good time for all of us to check that we have our mail programs, be them what they may, properly configured so as to not pollute forums with useless OOF/vacation garbage announcements. -- Jerry ✌ gnupg.u...@seibercom.net _ Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. I'll be comfortable on the couch. Famous last words. Lenny Bruce ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Multiple signatures
Hi, I would like to know if there is a way to add multiple signatures for a file (in a separate file) and check who signed with just one command (so not by signing a signed file...). Thanks, Koushkov ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: auto refresh-keys
Hello, Am Freitag 18 Juni 2010 02:10:22 schrieb MFPA: > I don't know how common or uncommon it might be. I just know that, of > the keys in my keyring of about 400 keys, I have noticed more > deviations away from my default keyserver to key.asc files than to > alternate keyservers. but this is about the share of file URLs in the keyring not the number of file URLs against the number of alternative key servers. Another point: With a good auto refresh infrastructure less people might feel the need to use such a file URL. > > If your keyservers don't support TLS (I have no idea > > whether the important ones use it) then you are open to > > a MitM attack when checking them. If the response is > > signed then you are not (if you are sure about the > > signing key :-) ). > > OK, up to a point. But the web of trust should thwart this MitM > attack. Or am I missing something? You are missing the kind of attack. The WoT prevents you from being attacked by modified keys. It does not prevent you from being "attacked" by non-updated keys. The attacker can send you the file you already have. This is more a DoS attack with security implications for revoked and added keys and organizational implications if you need more signatures to verify a key. > A user with several systems could use common keyrings. Or his own > local keyserver. Or just export all keys from the keyring he has just > updated and import them into each of his other keyrings. Yes but it seems to me that none of that is equally convenient to simply passing the timestamp file to the other systems. OK, I admit that I have just considered the case that no keys have to be updated. It makes sense to create a singed bulk download option, too. First you request the timestamps, next you request all keys you need to update. That would allow to avoid server accesses completely by simply passing both signed files (timestamp list and key collection). > > Several users might > > even combine their ID wishlist so that only one of them > > has to ask the keyserver. > > Possibly in a corporate or group setting, where one person could > refresh the keyring and push the update to his colleagues? Yes. That would be kind of a caching proxy service. Privacy protection could be reached by taking "secret" IDs off the list for the "proxy guy". Unrevealed IDs would be checked directly. If gpg was to be extended by an option to create an ID list I would suggest the feature to mark keys as not to be revealed by such update lists. > I guess there is a risk if the change was a revocation because the key > has been compromised, and it only reached the bad guy but not the real > keyserver, and you had only tried to send it to that one server. Sending to several keyservers does not help if the MitM attack point is on your side. > > Look at it the other way round: The more keys there are > > in the keyring the more bandwith is saved. I am > > convinced that users with large keyrings have enough > > local storage for that... > > And if they are using a mobile device with limited storage they > probably aren't using a large keyring? How large is your keyring file? I assume that for ten checked keyservers the file for storing the last timestamp for each key and keyserver would not even have the size of the keyring. And if there are only 40 KiB of space left on the device then IMHO you simply have to face the truth: That the wrong device it used for the application GnuPG. Hauke -- PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814 signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users