Re: non-exportable OpenPGP certifications [was: Re: hashed user IDs ]
On 11/03/11 6:50 PM, Daniel Kahn Gillmor wrote: On 03/11/2011 01:44 AM, Ben McGinnes wrote: Ah, this is what I've been looking around for! For the sake of the archives, how does one provide a non-exportable certification? Obviously the export flag won't cut it. non-exportable OpenPGP certifications are also known as local certifications. To make a non-exportable OpenPGP certification, use: gpg --lsign-key fr...@example.net This bit I knew and have used sporadically, good to know that you were referring to what I assumed, though. To put that in a file: gpg --export-options export-local --export --armor fr...@example.net \ frida.gpg Then the receiving party does: gpg --import-options import-local --import frida.gpg Oh, excellent. Just one little clarification; the man page lists the parameters as export-local-sigs and import-local-sigs, does shortening it the way you have work or does the full option name need to be used? Regards, Ben signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: non-exportable OpenPGP certifications [was: Re: hashed user IDs ]
On Fri, Mar 11, 2011 at 09:08:50PM +1100, Ben McGinnes wrote: On 11/03/11 6:50 PM, Daniel Kahn Gillmor wrote: On 03/11/2011 01:44 AM, Ben McGinnes wrote: Ah, this is what I've been looking around for! For the sake of the archives, how does one provide a non-exportable certification? Obviously the export flag won't cut it. non-exportable OpenPGP certifications are also known as local certifications. To make a non-exportable OpenPGP certification, use: gpg --lsign-key fr...@example.net This bit I knew and have used sporadically, good to know that you were referring to what I assumed, though. To put that in a file: gpg --export-options export-local --export --armor fr...@example.net \ frida.gpg Then the receiving party does: gpg --import-options import-local --import frida.gpg Oh, excellent. Just one little clarification; the man page lists the parameters as export-local-sigs and import-local-sigs, does shortening it the way you have work or does the full option name need to be used? All the GnuPG command-line commands and options may be abbreviated to a unique, unambiguous starting part of their names. Try gpg --clearsi or gpg --cl, for instance :) G'luck, Peter -- Peter Pentchev r...@ringlet.net r...@freebsd.org pe...@packetscale.com PGP key:http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 I've heard that this sentence is a rumor. signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: non-exportable OpenPGP certifications [was: Re: hashed user IDs ]
On Mar 11, 2011, at 5:08 AM, Ben McGinnes wrote: On 11/03/11 6:50 PM, Daniel Kahn Gillmor wrote: On 03/11/2011 01:44 AM, Ben McGinnes wrote: Ah, this is what I've been looking around for! For the sake of the archives, how does one provide a non-exportable certification? Obviously the export flag won't cut it. non-exportable OpenPGP certifications are also known as local certifications. To make a non-exportable OpenPGP certification, use: gpg --lsign-key fr...@example.net This bit I knew and have used sporadically, good to know that you were referring to what I assumed, though. To put that in a file: gpg --export-options export-local --export --armor fr...@example.net \ frida.gpg Then the receiving party does: gpg --import-options import-local --import frida.gpg Oh, excellent. Just one little clarification; the man page lists the parameters as export-local-sigs and import-local-sigs, does shortening it the way you have work or does the full option name need to be used? As a general rule, most gpg options can be shortened, so long as they are still unique. So the real name for the option is export-local-sigs, but export-local or even export-l is fine (and export would not be as gpg can't tell if you mean export-local-sigs, or export-attributes, or...) If you're documenting or scripting things, it's good practice to give the full name since you never know if we're going to add a export-lovely-sigs option or some such, and thus make export-l non unique. David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: hashed user IDs [was: Re: Security of the gpg private keyring?]
On 3/11/2011 1:07 AM, Ben McGinnes wrote: Out of curiosity, how big is that now? My complete /var/lib/sks/DB directory comes in at 7.8G. Not too large. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: hashed user IDs [was: Re: Security of the gpg private keyring?]
On 3/10/2011 3:09 PM, Hauke Laging wrote: That's the technical situation today. But it is no use to announce that to the whole world. (Did you mean not necessary instead of no use?) It is useful to quite a lot of people. Look at how many people map out webs of trust for entirely innocent purposes. In fact, mapping out webs of trust is necessary for the WoT idea to even work. Well, I've signed Frank's key and I see that Frank's signed Gianna's key, and I trust Frank so... It is required only for those people who use your signature in a validation chain. How do you propose determining who really needs those signatures for validation purposes and who doesn't? And once you've made that determination, how do you enforce it? Those are the two major, outstanding questions, and so far I've not seen any serious attempts at answering them. It seems this discussion is stuck at the stage of it would be nice if we all had ponies, without any real answers to questions of so where will we get the real estate to house the ponies? and who among us is an equine veterinarian? b) nobody who really wants to inform the whole world is in any way affected in doing that. I don't know how to respond to this: since we don't have a workable proposal for how to accomplish your objectives, we also can't discuss how your proposal will affect existing users. It's perfectly OK for me that you can see that I have signed Ben's key but why should others know that? Because this is not an ORCON system. The system is built around public certifications and private certifications. You're talking about introducing an entirely new method, something which seems basically like an ORCON certification: I'll make the certification, but I get to control who gets to learn about the certification. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: non-exportable OpenPGP certifications [was: Re: hashed user IDs ]
On 12/03/11 12:33 AM, David Shaw wrote: As a general rule, most gpg options can be shortened, so long as they are still unique. A bit like IOS commands, good to know. So the real name for the option is export-local-sigs, but export-local or even export-l is fine (and export would not be as gpg can't tell if you mean export-local-sigs, or export-attributes, or...) Makes sense. If you're documenting or scripting things, it's good practice to give the full name since you never know if we're going to add a export-lovely-sigs option or some such, and thus make export-l non unique. That's sensible, although I'd be a little disturbed if there ever was an export-lovely-sigs (presumably export-despised-sigs would be the opposite). ;) Regards, Ben signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: hashed user IDs [was: Re: Security of the gpg private keyring?]
On 12/03/11 12:33 AM, Robert J. Hansen wrote: On 3/11/2011 1:07 AM, Ben McGinnes wrote: Out of curiosity, how big is that now? My complete /var/lib/sks/DB directory comes in at 7.8G. Not too large. That's smaller than I would have thought, but a *lot* larger than the last time I checked (sometime in the '90s). Regards, Ben signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: non-exportable OpenPGP certifications [was: Re: hashed user IDs ]
On 11/03/11 9:54 PM, Peter Pentchev wrote: All the GnuPG command-line commands and options may be abbreviated to a unique, unambiguous starting part of their names. Try gpg --clearsi or gpg --cl, for instance :) Excellent, thanks. Regards, Ben signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Compression used in an encrypted message
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Forgive my ignorance, but is there a way to take a given encrypted message/file and determine which compression algorithm was used (and which level)? I know how to set compression algorithm and level prefs, but I'm curious to see what others use, if possible. Thanks, Avi -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (MingW32) - GPGshell v3.77 Comment: Most recent key: Click show in box @ http://is.gd/4xJrs iJgEAREKAEAFAk16YNE5GGh0dHA6Ly9wZ3AubmljLmFkLmpwL3Brcy9sb29rdXA/ b3A9Z2V0JnNlYXJjaD0weEY4MEUyOUY5AAoJEA1isBn4Din5uvUA/2qqX7JAcw1C 36V3m9rSWMTt96xQeK6l+/abhwgb7Z6kAQCK0kPjBRiFromrcBueppwKKcvA6Rmw gO/pjOJhkKxMWQ== =kVV4 -END PGP SIGNATURE- User:Avraham pub 3072D/F80E29F9 1/30/2009 Avi (Wikimedia-related key) avi.w...@gmail.com Primary key fingerprint: 167C 063F 7981 A1F6 71EC ABAA 0D62 B019 F80E 29F9 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Compression used in an encrypted message
On Fri, Mar 11, 2011 at 12:50:26PM -0500, Avi wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Forgive my ignorance, but is there a way to take a given encrypted message/file and determine which compression algorithm was used (and which level)? I know how to set compression algorithm and level prefs, but I'm curious to see what others use, if possible. If the file has been encrypted to you (or, more specifically, to one of the secret keys currently accessible to you), then, yes, you most probably can - gpg --list-packets filename should tell you what compression algorithm has been used, then it's just a matter of looking it up in RFC 4880 :) If the message has been encrypted to someone else's key, then you most probably won't be able to examine it - at least GnuPG does the compression before the encryption, so that the information about the compression algorithm used is contained within the encrypted data. You may still give it a shot with --list-packets, but don't expect too much :) Hope that helps. G'luck, Peter -- Peter Pentchev r...@ringlet.net r...@freebsd.org pe...@packetscale.com PGP key:http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 This sentence contains exactly threee erors. signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Compression used in an encrypted message
On Mar 11, 2011, at 12:50 PM, Avi wrote: Forgive my ignorance, but is there a way to take a given encrypted message/file and determine which compression algorithm was used (and which level)? I know how to set compression algorithm and level prefs, but I'm curious to see what others use, if possible. You can't tell which compression is used in any arbitrary message since you need to be able to decrypt it first. If the message is to you, however, you can run 'gpg --list-packets' on it. When running list-packets, you should see a line like this: :compressed packet: algo=2 Algo 1 == ZIP Algo 2 == ZLIB Algo 3 == BZIP2 If there is no compressed packet line at all, then the message is uncompressed. David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Compression used in an encrypted message
Thanks, everyone. So we can see the algorithm, but can not be able to see the compression level used, correct? Thanks, --Avi User:Avraham pub 3072D/F80E29F9 1/30/2009 Avi (Wikimedia-related key) avi.w...@gmail.com Primary key fingerprint: 167C 063F 7981 A1F6 71EC ABAA 0D62 B019 F80E 29F9 On Fri, Mar 11, 2011 at 1:35 PM, David Shaw ds...@jabberwocky.com wrote: On Mar 11, 2011, at 12:50 PM, Avi wrote: Forgive my ignorance, but is there a way to take a given encrypted message/file and determine which compression algorithm was used (and which level)? I know how to set compression algorithm and level prefs, but I'm curious to see what others use, if possible. You can't tell which compression is used in any arbitrary message since you need to be able to decrypt it first. If the message is to you, however, you can run 'gpg --list-packets' on it. When running list-packets, you should see a line like this: :compressed packet: algo=2 Algo 1 == ZIP Algo 2 == ZLIB Algo 3 == BZIP2 If there is no compressed packet line at all, then the message is uncompressed. David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Compression used in an encrypted message
On Mar 11, 2011, at 2:01 PM, Avi wrote: Thanks, everyone. So we can see the algorithm, but can not be able to see the compression level used, correct? Not directly, no. OpenPGP just encapsulates the compressed stream, so you'd have to extract the compressed data and examine it. I'm not sure if a single-number answer is available even then. Basically, if you can get the level from a regular compressed .gz or .bz2 file, then you can get it here, but either way, GPG does not have visibility into that. David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: hashed user IDs [was: Re: Security of the gpg private keyring?]
On 11-03-2011 14:33, Robert J. Hansen wrote: My complete /var/lib/sks/DB directory comes in at 7.8G. Not too large. How much of that is repeated automated signatures from the pgp keyserver? -- Met vriendelijke groet, Johan Wevers ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: hashed user IDs [was: Re: Security of the gpg private keyring?]
On Mar 11, 2011, at 8:33 AM, Robert J. Hansen wrote: On 3/11/2011 1:07 AM, Ben McGinnes wrote: Out of curiosity, how big is that now? My complete /var/lib/sks/DB directory comes in at 7.8G. Not too large. That's the on-disk SKS database format, and so contains a good bit of non-key data and other inefficiencies. A dump of just key data is around 3.5G nowadays. David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Compression used in an encrypted message
Thank you for the explanations, everone. --Avi On 3/11/11, David Shaw ds...@jabberwocky.com wrote: On Mar 11, 2011, at 2:01 PM, Avi wrote: Thanks, everyone. So we can see the algorithm, but can not be able to see the compression level used, correct? Not directly, no. OpenPGP just encapsulates the compressed stream, so you'd have to extract the compressed data and examine it. I'm not sure if a single-number answer is available even then. Basically, if you can get the level from a regular compressed .gz or .bz2 file, then you can get it here, but either way, GPG does not have visibility into that. David -- Sent from my mobile device User:Avraham pub 3072D/F80E29F9 1/30/2009 Avi (Wikimedia-related key) avi.w...@gmail.com Primary key fingerprint: 167C 063F 7981 A1F6 71EC ABAA 0D62 B019 F80E 29F9 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: hashed user IDs [was: Re: Security of the gpg private keyring?]
On 3/11/11 2:48 PM, Johan Wevers wrote: How much of that is repeated automated signatures from the pgp keyserver? Don't know, but it would be an interesting thing to test. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
For Windows
Hello. I use Enigmail, so of course I have GnuPG installed. I use 1.4.9 because [1] I can not find an executable for 2.0.17 for Windows, and [2] I do not know how to configure the GPG-agent. Can somebody please assist me with upgrading to 2.0.17 and configuring the agent? For about a week I have been searching everywhere but found nothing. I did install GPG4WIN then uninstalled it because I could not figure out how to use the agent and the GPA utility is not screen reader accessible. Thanks in advance for your help. PS. I am blind and use a screen reader. Everything must be 100% keyboard accessible. -- CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or previous e-mail messages attached to it may contain confidential information that is legally privileged. If you are not the intended recipient, or a person responsible for delivering it to the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of any of the information contained in or attached to this transmission is STRICTLY PROHIBITED. If you have received this transmission in error, please immediately notify the sender, and please destroy the original transmission and its attachments without reading or saving in any manner. Thank you. 0x4B22824D.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: For Windows
On 03/11/2011 01:50 PM, Jonathan Ely wrote: Hello. I use Enigmail, so of course I have GnuPG installed. I use 1.4.9 because [1] I can not find an executable for 2.0.17 for Windows, and [2] I do not know how to configure the GPG-agent. Can somebody please assist me with upgrading to 2.0.17 and configuring the agent? For about a week I have been searching everywhere but found nothing. I did install GPG4WIN then uninstalled it because I could not figure out how to use the agent and the GPA utility is not screen reader accessible. Thanks in advance for your help. PS. I am blind and use a screen reader. Everything must be 100% keyboard accessible. I don't know about an official GnuPG agent for Windows, but Enigmail ships with a passphrase caching setting. You can access it via the keyboard with the following shortcuts: ALT+n (currently, the Events and Tasks menu is selected) right arrow (now the OpenPGP menu is selected) p (this brings up the OpenPGP Preferences window) TAB You should now be in the Passphrase settings part of the Basic tab of the OpenPGP Preferences. Your cursor is focused on a number for remembering your passphrase for a certain length of time. The default is 5 minutes of idle time. You can change this to anything you want, up to minutes. 1 more TAB key press will allow you to select a checkbox for Never ask for any passphrase. 3 more TAB key presses past that point will get you to the OK button, to apply the settings. Hope that helps. On a side note, you may wish to re-evaluate your email signature. Confidentiality notices are usually annoying to most recipients, especially on mailing lists, where the email is publicly accessible on the Internet for all to see. If sensitive information must be sent over email, it should be encrypted, with a note in the encrypted mail notifying the user of the its sensitivity. Otherwise, they come across as elitist and overprotective in nature, and there likely aren't many laws or legal recourse you can take, should someone redistribute an email you sent, or post it in a public forum. FYI. -- . o . o . o . . o o . . . o . . . o . o o o . o . o o . . o o o o . o . . o o o o . o o o signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: For Windows
On 3/11/11 3:50 PM, Jonathan Ely wrote: Hello. I use Enigmail, so of course I have GnuPG installed. I use 1.4.9 because [1] I can not find an executable for 2.0.17 for Windows, and [2] I do not know how to configure the GPG-agent. Can somebody please assist me with upgrading to 2.0.17 and configuring the agent? For about a week I have been searching everywhere but found nothing. I did install GPG4WIN then uninstalled it because I could not figure out how to use the agent and the GPA utility is not screen reader accessible. Thanks in advance for your help. PS. I am blind and use a screen reader. Everything must be 100% keyboard accessible. Sorry, I don't have any windows boxes around right now, but did want to provide two notes. - GPG4WIN is the right package to install gpg2 on windows, so you've got the right installer. It's a shame GPA doesn't work with a screen reader. - The 1.4 branch is still supported and maintained in parallel with the 2.0 branch. If 1.4.9 is working for you, just stick with 1.4.9, or perhaps upgrade to 1.4.11. -- Grant I am gravely disappointed. Again you have made me unleash my dogs of war. signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: hashed user IDs [was: Re: Security of the gpg private keyring?]
Ben McGinnes wrote: On 11/03/11 12:10 AM, Robert J. Hansen wrote: Not at all. Every few days the keyserver network posts complete dumps of all the certificates in the system. (Or, more accurately, various people within the network do.) This exists so that new volunteers who want to contribute their services to the community can get their own servers bootstrapped. Out of curiosity, how big is that now? Checking both of my keyservers: Total number of keys: 2922831 http://sks.keyservers.net:11371/pks/lookup?op=stats @ 2011-03-12 00:00:46 CST http://keyserver.gingerbear.net:11371/pks/lookup?op=stats @ 2011-03-12 00:00:06 CST 103 servers (from http://www.sks-keyservers.net/status/) 64 active in the pool, 39 excluded from the pool (for various reasons) -- John P. Clizbe Inet: John (a) Enigmail DAWT net FSF Assoc #995 / FSFE Fellow #1797 hkp://keyserver.gingerbear.net or mailto:pgp-public-k...@gingerbear.net?subject=HELP Q:Just how do the residents of Haiku, Hawai'i hold conversations? A:An odd melody / island voices on the winds / surplus of vowels signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: hashed user IDs [was: Re: Security of the gpg private keyring?]
Ben McGinnes wrote: On 12/03/11 12:33 AM, Robert J. Hansen wrote: On 3/11/2011 1:07 AM, Ben McGinnes wrote: Out of curiosity, how big is that now? My complete /var/lib/sks/DB directory comes in at 7.8G. Not too large. That's smaller than I would have thought, but a *lot* larger than the last time I checked (sometime in the '90s). Ben, That's the SKS implementation of the key database. On top of the keys, there are several other tables. Within each table there is also empty space, most commonly space left at the end of a page. The present size of just the raw keys -- like you would pull in a keydump to bootstrap a server -- is 4.38 GB -- John P. Clizbe Inet:John (a) Mozilla-Enigmail.org FSF Assoc #995 / FSFE Fellow #1797 hkp://keyserver.gingerbear.net or mailto:pgp-public-k...@gingerbear.net?subject=HELP Q:Just how do the residents of Haiku, Hawai'i hold conversations? A:An odd melody / island voices on the winds / surplus of vowels signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users