Re: Best practice for periodic key change?
On Tue, May 10, 2011 at 07:42, Grant Olson wrote: > Okay, yeah, if the CA sets up the card, authenticates it with their > signing key, and ships it to you, then there would never be a separate > master key, no problem there. I get the feeling the card won't like it > if you try to create a software signing key, but I'm not sure how that > will work. I do have a spare card here if you want me to test this. > Oh, and yes please do test it -- practical results are helpful. -- Jerome Baum tel +49-1578-8434336 email jer...@jeromebaum.com -- PGP: A0E4 B2D4 94E6 20EE 85BA E45B 63E4 2BD8 C58C 753A PGP: 2C23 EBFF DF1A 840D 2351 F5F5 F25B A03F 2152 36DA ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
PGP and "Smart" Cards
The Basic Error is in giving the merchant your credit card number. You are spreading that number all over Boston and the thugs are gonna grab it and help themselves. The only surprising thing is that this doesn't happen more often. All that a thug needs is a Merchant Account with PCI and he can start using all the Credit Card numbers he wants to buy on the black market forums. Run off a few million bucks and head for Bulgaria. AK-47s are on sale there this week only ( tee hee ) . Corrected Thinking: DO NOT GIVE OUT YOUR CARD NUMBER. Smart Card Technology -- or your iPhone can make this possible. Instead of you giving the merchant your account number the merchant should send an invoice to your Smart Card -- or to the PCI App in your iPhone Your Smart Card -- or the PCI App in your iPhone -- could then encrypt the invoice together with authorization for payment and forward this cipher text back to the merchant's Point of Sale Terminal (POST). The merchant would NOT be able to decrypt this cipher text as it would be encrypted to the PCI: to the financial institution that issued your SmartCard. The POST would forward the cipher text to the PCI. The PCI would decrypt the cipher text and verify your signature. On approval PCI would forward a paid copy of the invoice back to the POST and an EFT credit to the Merchant's account and an equal EFT debit to your account. The POST prints the paid invoice and off you go with your new egg beater and don't forget the receipt ( called the paid invoice here ) . -- /MIKE signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
PGP Help Require Basic
Hi folks, Well, I have got to encrypt/decrypt the files using Open PGP. Now I have got PGP key block and Pgp KEY from other party. I have also installed GPG on my local machine. but i really dont have any idea what to do next. Please let me know what to do with PGP key (0xAJ7A9B41) and PGP key block (this is very strange text). something like this -BEGIN PGP PUBLIC KEY BLOCK- Version: PGP 7.0 mQGiBDvhv4gRBAD3Yy7eNlvXLPCFWc8/qKe8wCYp7HkY54jvbxUbvcvdzFfVhy1A 69hMzDc3Yn2+Q1tXT36bibQa2vvh6ak AY/fA/0Yib5WP68WC29GMSxfasKaG+7eSWlBvxpcnCKmOGRGngtxAtycuqfS3rX9 0fkFTcaBN2YIGarBWeYoF2H401Ntxi1 ib5WP68WC29GMSxfasKaG+7eSWlBvxpcnCKmOGRGngtxAtycuqfS3rX9 0fkFTcaBN2YIGarBWeYoF2H401Ntxi1 ib5WP68WC29GMSxfasKaG+7eSWlBvxpcnCKmOGRGngtxAtycuqfS3rX9 0fkFTcaBN2YIGarBWeYoF2H401Ntxi1 bIIhgTJhoxBcQZU6RQhbkSrkBZJ2JUu71 XOXHSR+oCOEMSnV+4WJPP3bt0hDM5nGnnA0vTJj6+g0ZSyYck7QXdGVzdCA8dGVz =mqES -END PGP PUBLIC KEY BLOCK- please help. kind regards, AJ ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
GPG Problem - invalid radix64 character
I needed to move lots of data from one site to another across europe. I got a huge disk and archived all data onto that using something like (simplified): find | cpio -o | gpg -e | split - /disk/archive. To extract the data again, it's just as simple: cat `find /disk/archive.* | sort` | gpg -d | cpio -i This have worked perfectly for a number of these data moves I've done over the last few months... But this last one gave me a problem when trying to unpack it: gpg: invalid radix64 character D0 skipped gpg: invalid radix64 character 00 skipped gpg: invalid radix64 character AD skipped gpg: invalid radix64 character DE skipped [these four lines repeats for a while] gpg: [don't know]: invalid packet (ctb=73) gpg: mdc_packet with invalid encoding gpg: decryption failed: Invalid packet gpg: [don't know]: invalid packet (ctb=36) gpg: no valid OpenPGP data found. cpio: premature end of file There's 1498 4GB files, and I managed to extract 792GB before this failure. But since the archive files is in ASCII armor, there's no telling in which file the problem lies! I'm currently looking for '^-|.*:|^$' in the files, but so far nothing... 1. What character is D0, 00, AD and DE? What can I look for (to try to diagnose the problem/file) 2. Is there ANYTHING I can do to get my data, exept making a new archive (which, for various reasons, take about two-three weeks)? I've googled this problem, but most (if not all) get this when/if receiving an ASCII armor via mail which messes things up. I doubt very much that's the problem here, since I'm using the exact, identical file I started with, not a copy (which is the result of mailing it)... ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: PGP Help Require Basic
On Tue, May 10, 2011 at 04:32:24PM +1000 Also sprach Aakash: > Hi folks, > > Well, I have got to encrypt/decrypt the files using Open PGP. Now I have got > PGP key block and Pgp KEY from other party. I have also installed GPG on my > local machine. > > but i really dont have any idea what to do next. Please let me know what to > do with PGP key (0xAJ7A9B41) and PGP key block (this is very strange text). > Have you considered reading the GnuPG user guide? The user guide contains detailed instructions on how to use GnuPG, and is available in several languages: http://www.gnupg.org/documentation/guides.html -- "Le hasard favorise l'esprit préparé." --Louis Pasteur ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Best practice for periodic key change?
Am Dienstag, 10. Mai 2011, 07:10:42 schrieb Jerome Baum: > an option for GnuPG: reject-subkey-signatures > No need to change OpenPGP for this. This is possible only if it is safe for old implementations. I see one option for that: A signature notation for this purpose could be defined and this notation could be marked critical. The standard says: "If a subpacket is encountered that is marked critical but is unknown to the evaluating software, the evaluator SHOULD consider the signature to be in error." I don't understand whether this refers to the packet type or the packet content. If an implementation knows what a notation is (and shows it) but does not know the meaning of the new standardized notation what is it supposed to do according to RFC 4880? Generate an error saying "I don't understand what this notation is about" or signal success saying "I recognize this as a notation. (And I don't care about its content.)"? If the recognition refers to the content then it's easy. There would be the practical problem left to check how the (relevant) implementations behave. It's no use if you are theoretically right but it is trivial to trick people into acceptance of wrong signatures because an often used software does not work right. A safe solution should be to define a new packet type. That might be a generic "notation with critical content" type. This would behave like a notation with the difference that the recognition check is extended to the content (if this packet is marked critical?). But if the standard is extended then it makes more sense to have subkeys certified explicitly instead of forbidding the acceptance of normal subkeys in general. > The CA would then sign the master key that is generated on-card, and the > certification just won't apply to the sub-keys. Does this solve the "all > signatures _must_ be generated on-card" issue? In theory. The practice problem remains: Do "all" implementations behave that way. Hauke -- PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814 signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: PGP Help Require Basic
Am Dienstag, 10. Mai 2011, 08:32:24 schrieb Aakash: > Well, I have got to encrypt/decrypt the files using Open PGP. Now I have > got PGP key block and Pgp KEY from other party. I have also installed GPG > on my local machine. > > but i really dont have any idea what to do next. Please let me know what to > do with PGP key (0xAJ7A9B41) and PGP key block (this is very strange text). For the typical use of GnuPG you need two keys: a) yours (consisting of a public key and a private key) b) the one of your communication partner (public key only) You have to import the public key oth the other one. And you have to create (or import) your own private key. For information how this is done and how encryption / decryption is done after you got your keys working you should have a look at some documentation as you have been hinted at. Hauke -- PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814 signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Best practice for periodic key change?
I don't see why it would need a standards change, or why the option can't be, well, optional. We aren't trying to force all gpg installations to conform, but to make it possible to configure an installation to conform. Normal gpg should continue to function. (Mobile/Handy) Am 10.05.2011 15:33 schrieb "Hauke Laging" : Am Dienstag, 10. Mai 2011, 07:10:42 schrieb Jerome Baum: > an option for GnuPG: reject-subkey-signatures > No need to change OpenPGP for this. This is possible only if it is safe for old implementations. I see one option for that: A signature notation for this purpose could be defined and this notation could be marked critical. The standard says: "If a subpacket is encountered that is marked critical but is unknown to the evaluating software, the evaluator SHOULD consider the signature to be in error." I don't understand whether this refers to the packet type or the packet content. If an implementation knows what a notation is (and shows it) but does not know the meaning of the new standardized notation what is it supposed to do according to RFC 4880? Generate an error saying "I don't understand what this notation is about" or signal success saying "I recognize this as a notation. (And I don't care about its content.)"? If the recognition refers to the content then it's easy. There would be the practical problem left to check how the (relevant) implementations behave. It's no use if you are theoretically right but it is trivial to trick people into acceptance of wrong signatures because an often used software does not work right. A safe solution should be to define a new packet type. That might be a generic "notation with critical content" type. This would behave like a notation with the difference that the recognition check is extended to the content (if this packet is marked critical?). But if the standard is extended then it makes more sense to have subkeys certified explicitly instead of forbidding the acceptance of normal subkeys in general. > The CA would then sign the master key that is generated on-card, and the > certification just wo... In theory. The practice problem remains: Do "all" implementations behave that way. Hauke -- PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: PGP and "Smart" Cards
Good luck. The merchants don't seem to care, and the banks still think that the name of my third-grade teacher is some kind of closely guarded secret. It's not going to happen unless required by law or in response to some hugely expensive (and successful) class actions against card issuers. The customer is the only one with a compelling incentive to change the system. -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Asking whether markets are efficient is like asking whether people are smart. pgpUojP7ImyKO.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Problem with the pgp to gpg key migration
Pramod.R Pramod.R at target.com wrote on Mon May 9 14:43:06 CEST 2011 : >1) Tried exporting the private and the public key from pgp using the commands: pgp -kx " " pubkey.pgp pgp -kx " " sec.pgp ~/.pgp/secring.skr pgp commandline makes it extremely difficult to extract a secret key. the -kx commands extract only public keys, (there was a workaround that Disastry showed me once many years ago, but i forgot it :-(( since it has been easier to just use the following gnupg command) : gpg --import secring.skr and gnupg will import both the public and secret keys (n.b. if anyone knows the proper pgp commandline syntax to extract a pgp secret key from the keyring, please post) Thanks, vedaal ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: PGP and "Smart" Cards
On Tue, May 10, 2011 at 1:54 PM, Mark H. Wood wrote: > The customer is the only one with a compelling > incentive to change the system. > Why? Are not the Pay Card companies on the hook for most of the losses? > > -- > Mark H. Wood, Lead System Programmer mw...@iupui.edu > Asking whether markets are efficient is like asking whether people are > smart. > > ___ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > > -- “Until we have the courage to recognize cruelty for what it is—whether its victim is human or animal —we cannot expect things to be much better in this world. We cannot have peace among men whose hearts delight in killing any living creature.”—Rachel Carson, Silent Spring ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: PGP and "Smart" Cards
On Tue, May 10, 2011 at 2:31 PM, Scott Lambdin wrote: > > > On Tue, May 10, 2011 at 1:54 PM, Mark H. Wood wrote: >> >> The customer is the only one with a compelling >> incentive to change the system. > > Why? Are not the Pay Card companies on the hook for most of the losses? They have determined the losses are less than the cost of educating and implementing these intelligent plans, in the US at least. -- Thomas Harning Jr. Support my wife, Jenn, as she runs her first 10k, donations appreciated... every dollar helps! http://www.akidagain.org/site/TR/Cincinnati5k10k2011/General?px=1127201&pg=personal&fr_id=1140 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
re: Problem with the pgp to gpg key migration
Pramod.R Pramod.R at target.com wrote on Mon May 9 14:43:06 CEST 2011 : >1) Tried exporting the private and the public key from pgp using the commands: pgp -kx " " pubkey.pgp pgp -kx " " sec.pgp ~/.pgp/secring.skr - remembered the workaround: [1] copy secring.skr to a different location [2] confirm that it is openable by the following command: pgp -kv (pathway to new location)secring.skr if pgp lists the secret keys, then do the following: pgp -kxa keyname exportfilename.asc (pathway to new location)secring.skr the resulting file, exportfilename.asc, will have both the private and public pgp keyblocks n.b. if these are RSA keys, then you either need the IDEA module in gnupg, or need to first remove the passphrase and then export the key from pgp and then import then into gnupg vedaal ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
secret key not available
I exported a key that was needed by a bank from a pgp 6.5.8 secret keyring and inported into gpg using -import . Now when I sign using that key I get 'signing failed: secret key not available'. In gpg I see the key when I do a gpg -list-keys, But don't see it when I do a gpg -list-secret-keys. When I cat the exported key asc block It describes itself as a public key. Any clues as to what I need to do. I see this key on my pgp Public and secret keyrings JYard UCLA ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: secret key not available
On 05/10/2011 18:43, Yard, John wrote: I exported a key that was needed by a bank from a pgp 6.5.8 secret keyring ... When I cat the exported key asc block It describes itself as a public key. So I think you've described the problem ... you didn't export the secret key, you exported the public one. -- Nothin' ever doesn't change, but nothin' changes much. -- OK Go Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/ ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users