Re: Useful factoid

2011-10-11 Thread MFPA
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hi


On Tuesday 11 October 2011 at 9:32:18 PM, in
, Robert J. Hansen wrote:


> Accurate to 6%, there are 2**25 seconds in a year.


[...]

> I don't know why it took me so long to notice that:
> seems like the sort of thing I should've noticed a
> decade ago.

I suppose you didn't need to notice it because you already remembered
"pi seconds in a nano-century"

- --
Best regards

MFPAmailto:expires2...@ymail.com

A nod is as good as a wink to a blind bat!
-BEGIN PGP SIGNATURE-

iQCVAwUBTpTlNaipC46tDG5pAQo8NgP/f/etxoSVmn5rhWCc/mUxaoO4U4HD/9TB
snAV8qD1mZU2dzvkzrlZXMlIgr3pYzEXTImSGfsmjBLH90Q/hGdvAvlC2smW8Ezw
Net+bV/vw6r8TFKbwoF7ubIK4/27A3bSoq3up5t0PrEK2dOGIpTYnPgfEY5pIfe/
jz1JYCPJNhE=
=/wzd
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: Why revoke a key?

2011-10-11 Thread Jerome Baum
On 2011-10-11 16:54, Robert J. Hansen wrote:
> Okay, fine: you can exclude all six-digit numbers (900,000 of them), all
> five-digit numbers (90,000 of them), all four-digit numbers (9,000 of
> them), all three-digit numbers (900 of them), all two-digit numbers (90
> of them) and all one-digit numbers (ten of them) [*].  You've excluded
> 900,000 + 90,000 + 9,000 + 900 + 90 + 10 = one million total numbers out
> of the possible ten million.  You've reduced the keyspace by 10%.

That "10%" really depends on what you are revealing. Consider a 256-bit
key. Telling you that it's "proper" 256 bits (i.e. MSB is 1) I've just
halved the search space. I'd guess that revealing that a single base-n
digit is non-zero you loose 1/n of the keyspace (base-10: 10%, base-2: 50%).

Let's see: given m base-n digits, the keyspace has n^m elements.
Revealing one of those digits to be non-zero, the search space is
reduced to (n-1)*n^(m-1), so you've lost n^m-(n-1)*n^(m-1) items from
your keyspace. That's (n^m-(n-1)*n^(m-1))/n^m of your keyspace, i.e.
1-(n-1)/n = 1/n.

So the bit case is the worst-case, and even though I'm paranoid enough
for a 4096-bit pubkey, I can sleep well when a 256-bit symmetric key is
really worth 255 bits. :-)

P.S. where did the [*] go?

> If his passphrase has zero margin of safety, he's done something
> foolish: his passphrase no longer meets his entropy requirements.  On
> the other hand, if his passphrase is longer than necessary to meet his
> requirements, he can afford to throw out 10% of the potential keyspace
> without losing any sleep.
> 
> What he's done here is pretty much exactly what I've described, just in
> a different numerical base.
> 
> Tell you what: I'll put my money where my mouth is.  The low-order bits
> of the primes that comprise my private key are both '1'.  Doesn't help
> you out very much, does it?  ;)

Oh, also, "this!"

-- 
PGP: A0E4 B2D4 94E6 20EE 85BA E45B 63E4 2BD8 C58C 753A
PGP: 2C23 EBFF DF1A 840D 2351 F5F5 F25B A03F 2152 36DA

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: Useful factoid

2011-10-11 Thread Jean-David Beyer
Robert J. Hansen wrote:
> Accurate to 6%, there are 2**25 seconds in a year.  Worth remembering:
> it makes certain kinds of computations much easier.  (It follows there
> would be about 2**35 seconds in a thousand years, or 2**45 seconds in a
> million.)
> 
> E.g., let's say you want to brute-force an 64-bit key on a CPU that can
> do a million (2**20) attempts per second.  This requires, on average,
> 2**63 attempts.  2**63 / 2**20 = 2**43 seconds: 2**43 / 2**45 = 2**-2 =
> a quarter of a million years.

Let us assume you are the bad guy and have computing power that can do
an arbitrarily large number of key attempts per second. Unless you have
my encrypted keys, you have to access my computer (unless you have
already stolen it, in which case there are much easier ways to invade
the machine), you will have to try logging in through the Internet (in
the case of my machine), and the first thing you will hit is the login
program. This can probably handle only a few attempts per second, and if
I were serious about security, I would have it double the time to reply
each time it got a failed login on that connection. In the days of
dialup, I would have the machine hang up on the connection with too many
failed login attempts.

Of course, if you could get into my machine and login as the only user
with access to my encrypted password file, you could copy that file to
your high speed facility and crack it at your leisure. But if you could
do that, you could already do anything you wanted with my machine --
install trojan horse keyloggers, defeat the security in the login
program, etc.

> 
> I don't know why it took me so long to notice that: seems like the sort
> of thing I should've noticed a decade ago.  It makes certain kinds of
> computations so much easier.
> 
> Anyway, figured I'd throw it out on the off chance there were others who
> hadn't noticed it.



-- 
  .~.  Jean-David Beyer  Registered Linux User 85642.
  /V\  PGP-Key: 9A2FC99A Registered Machine   241939.
 /( )\ Shrewsbury, New Jerseyhttp://counter.li.org
 ^^-^^ 17:05:02 up 5 days, 1:38, 4 users, load average: 4.73, 4.76, 4.82

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Useful factoid

2011-10-11 Thread Robert J. Hansen
Accurate to 6%, there are 2**25 seconds in a year.  Worth remembering:
it makes certain kinds of computations much easier.  (It follows there
would be about 2**35 seconds in a thousand years, or 2**45 seconds in a
million.)

E.g., let's say you want to brute-force an 64-bit key on a CPU that can
do a million (2**20) attempts per second.  This requires, on average,
2**63 attempts.  2**63 / 2**20 = 2**43 seconds: 2**43 / 2**45 = 2**-2 =
a quarter of a million years.

I don't know why it took me so long to notice that: seems like the sort
of thing I should've noticed a decade ago.  It makes certain kinds of
computations so much easier.

Anyway, figured I'd throw it out on the off chance there were others who
hadn't noticed it.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


gpg version 2.0.17 with libgcrypt 1.4.6

2011-10-11 Thread Banks, Michael B
Hi,

Another developer and I have downloaded and compiled and built the versions of 
gpg listed.  I have generated the keys successfully and when I try running gpg 
as a test to encrypt a file I am getting bus errors.  I have started the agent 
as you can see below as well.  I also did a list-keys to show my keys I'm 
testing with as well.  Does anyone have any ideas as to why I am getting a bus 
error? I've looked at a lot of documentation and browsed the internet but am 
not finding anything.

Thanks,

Mike



gpg (GnuPG) 2.0.17
libgcrypt 1.4.6

ACTUAL RUN
--
mb55918[crdap400] cat test.log | gpg -v -e -r mb55918 --output test.gpg
Warning: using insecure memory!
gpg: using PGP trust model
gpg: using subkey 8A6C440C instead of primary key F8A311AD
gpg: This key belongs to us
gpg: reading from `[stdin]'
File `test.gpg' exists. Overwrite? (y/N) y
gpg: writing to `test.gpg'
ksh: 14336 Bus Error

LIST OF KEYS


mb55918[crdap400] gpg --list-keys
Warning: using insecure memory!
/home/cchome01/mb55918/.gnupg/pubring.gpg
-
pub   1024D/F8A311AD 2011-09-29
uid  mb55918 (mb55918) 
sub   1024g/8A6C440C 2011-09-29

AGENT
-

mb55918 27018 1   0 10:20:37 ?   0:00 gpg-agent --daemon 
--use-standard-socket --pinentry-program /opt/software/biadm




___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: Multiple signatures

2011-10-11 Thread Werner Koch
On Tue, 11 Oct 2011 13:55, pje...@gmail.com said:

> Other problem I've noticed when I signed file in non-batch mode is that
> I’ve specified to use SHA512 for second signature.

You didn't.  What you did is to specify an S2K hash algorithm which is
used to turn passphrases into keys.  Further it is not possible to
change the algorithms for each key.  You may be better off not to tinker
around with algorithm options if you don't have a close understanding of
how they work.  GnuPG has sensible defaults and a preference system to
select algorithms.

Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


re: key selection in batch decryptions

2011-10-11 Thread vedaal
John A. Wallace jw72253 at verizon.net wrote on
Mon Oct 10 23:18:21 CEST 2011 :


>Is there a way to tell gpg to use just one of the keys if
any?  I have tried specifying this as one of the options "-u 
userID", but it seems to ignore my specification and it always 
tries to use a different key from the one I intend.


Not with a direct command, but with a simple workaround.
Make another keyring with only the key(s) you want tried, and point 
gnupg to that keyring for that batch job.


vedaal


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: Why revoke a key?

2011-10-11 Thread Avi
> -- Forwarded message --
> From: "Robert J. Hansen" 
> To: Jerome Baum , gnupg-users@gnupg.org
> Date: Tue, 11 Oct 2011 08:27:47 -0400
> Subject: Re: Why revoke a key?
> On 10/10/2011 5:44 PM, Jerome Baum wrote:
>> But remember Murphy's(?) law! -- (I mean the one about doubling computer
>> power every 18 months -- are there two Murphy's laws? Confused now...)
>
> Moore's Law.
>
> For reference, a 40-bit key is breakable today by just about anyone, a
> 64-bit key is breakable today by people with access to significant
> computational resources (hundreds of machines), and it's plausible to
> believe fantastically wealthy adversaries can break 80-bit keys.
>
> In 1998, EFF's DEEP CRACK exhausted a 56-bit keyspace in roughly 24
> hours at a cost of $250,000.  Assuming Moore's Law holds true, that
> means it could be built today with equivalent performance for about $1,000.
>
> A 64-bit keyspace is only a factor of 250 harder: a DEEP CRACK/64 could
> theoretically be made at a cost of $250,000.  An 80-bit keyspace is a
> factor of 50,000 harder, more or less, putting the price of that at $12
> billion, somewhere in there.
>
> This is really rough back-of-the-envelope calculation, but it passes my
> sniff test.

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Somewhat outdated, but here is a webpage that makes some
comparisons. They don't give the bitsize of the keys, just the
number of combinations, but it is still representative.


Some other interesting, but likely outdated, discussions:


 <-- discusses PGP

Avi
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (MingW32) - GPGshell v3.77
Comment: Most recent key: Click show in box @ http://is.gd/4xJrs

iJgEAREKAEAFAk6UWfc5GGh0dHA6Ly9wZ3AubmljLmFkLmpwL3Brcy9sb29rdXA/
b3A9Z2V0JnNlYXJjaD0weEY4MEUyOUY5AAoJEA1isBn4Din5gXcBAJhFPQdzW6Xm
+yGodASC7eBNvkyE67/eHZZK+xLWe+faAP4ghpRCy6ryU8F0Yz65JmzEmmpyFGKw
vuJ2Oxoq7UTO+g==
=Fdds
-END PGP SIGNATURE-


User:Avraham

pub 3072D/F80E29F9 1/30/2009 Avi (Wikimedia-related key) 
  Primary key fingerprint: 167C 063F 7981 A1F6 71EC  ABAA 0D62 B019 F80E 29F9

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: Why revoke a key?

2011-10-11 Thread Robert J. Hansen
On 10/11/11 9:41 AM, Jean-David Beyer wrote:
> But in a sense, was it not unwise to tell me your passphrase length? I
> will now set up my hypothetical exhaustive search cracker not to bother
> with passphrases less than 32 characters or longer than 32 characters.
> This reduces the size of the search space I must examine. Of coarse, the
> shorter ones can be tested faster than the longer ones.

Not really.  Imagine if you knew his passphrase was a number, but not
how long it was.  Now he tells you, "it's a seven-digit number."

Okay, fine: you can exclude all six-digit numbers (900,000 of them), all
five-digit numbers (90,000 of them), all four-digit numbers (9,000 of
them), all three-digit numbers (900 of them), all two-digit numbers (90
of them) and all one-digit numbers (ten of them) [*].  You've excluded
900,000 + 90,000 + 9,000 + 900 + 90 + 10 = one million total numbers out
of the possible ten million.  You've reduced the keyspace by 10%.

If his passphrase has zero margin of safety, he's done something
foolish: his passphrase no longer meets his entropy requirements.  On
the other hand, if his passphrase is longer than necessary to meet his
requirements, he can afford to throw out 10% of the potential keyspace
without losing any sleep.

What he's done here is pretty much exactly what I've described, just in
a different numerical base.

Tell you what: I'll put my money where my mouth is.  The low-order bits
of the primes that comprise my private key are both '1'.  Doesn't help
you out very much, does it?  ;)

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: Why revoke a key?

2011-10-11 Thread Jean-David Beyer
David Tomaschik wrote (in part):

> If you value your OpenPGP key, I would not trust it to 24 bits of 
> entropy.  My off-card backup of my key is protected by a 32-character
>  passphrase that I believe to be highly resistant to dictionary
> attack (and contains sufficient special characters that I believe its
> entropy to be close to the optimal 6.5 bits per symbol).  But perhaps
> I'm delusional.
> 
I do not know about delusional.

But in a sense, was it not unwise to tell me your passphrase length? I
will now set up my hypothetical exhaustive search cracker not to bother
with passphrases less than 32 characters or longer than 32 characters.
This reduces the size of the search space I must examine. Of coarse, the
shorter ones can be tested faster than the longer ones.

-- 
  .~.  Jean-David Beyer  Registered Linux User 85642.
  /V\  PGP-Key: 9A2FC99A Registered Machine   241939.
 /( )\ Shrewsbury, New Jerseyhttp://counter.li.org
 ^^-^^ 09:35:01 up 4 days, 18:08, 4 users, load average: 5.13, 5.25, 5.22

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: Why revoke a key?

2011-10-11 Thread David Tomaschik
On Mon, Oct 10, 2011 at 5:44 PM, Jerome Baum
 wrote:
> On 2011-10-10 23:29, Jan Janka wrote:
>>
>> How long would it take to execute a successful brute force attack on
>> a pasphrase consisting of 12 symbols (symbols available on common
>> keyboards)?
>
> Calculate how many combinations there are, assume some number of tries
> per second (you can experimentally find this out), and there you go.
>
> But remember Murphy's(?) law! -- (I mean the one about doubling computer
> power every 18 months -- are there two Murphy's laws? Confused now...)
>
> You can measure the strength of your password in bits of entropy, which
> is basically the log base 2 of the number of combinations. So if there
> are 64 possible combinations (a single alphanum case-sensitive
> password-ish) then you have 6 bits of entropy. In the diceware FAQ at
> www.diceware.com you can find info about how long a password with a
> given number of bits is supposed to be secure. Also some tips on how to
> pick a memorizable secure passphrase.


A very important distinction must be made between randomly-generated
passwords and human-generated passwords.  Based on a NIST study on
password entropy[1], a 12 character password has only about 24 bits of
entropy.  Of course, if you're careful about your passphrase
generation schemes, you can probably achieve higher than that while
still generating your own password.

If you value your OpenPGP key, I would not trust it to 24 bits of
entropy.  My off-card backup of my key is protected by a 32-character
passphrase that I believe to be highly resistant to dictionary attack
(and contains sufficient special characters that I believe its entropy
to be close to the optimal 6.5 bits per symbol).  But perhaps I'm
delusional.


[1] http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63V1_0_2.pdf

-- 
David Tomaschik, RHCE, LPIC-1
System Administrator/Open Source Advocate
OpenPGP: 0x5DEA789B
http://systemoverlord.com
da...@systemoverlord.com

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: Why revoke a key?

2011-10-11 Thread Robert J. Hansen
On 10/10/2011 5:44 PM, Jerome Baum wrote:
> But remember Murphy's(?) law! -- (I mean the one about doubling computer
> power every 18 months -- are there two Murphy's laws? Confused now...)

Moore's Law.

For reference, a 40-bit key is breakable today by just about anyone, a
64-bit key is breakable today by people with access to significant
computational resources (hundreds of machines), and it's plausible to
believe fantastically wealthy adversaries can break 80-bit keys.

In 1998, EFF's DEEP CRACK exhausted a 56-bit keyspace in roughly 24
hours at a cost of $250,000.  Assuming Moore's Law holds true, that
means it could be built today with equivalent performance for about $1,000.

A 64-bit keyspace is only a factor of 250 harder: a DEEP CRACK/64 could
theoretically be made at a cost of $250,000.  An 80-bit keyspace is a
factor of 50,000 harder, more or less, putting the price of that at $12
billion, somewhere in there.

This is really rough back-of-the-envelope calculation, but it passes my
sniff test.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: Multiple signatures

2011-10-11 Thread pjemen

On 3. 10. 2011 23:59, David Shaw wrote:

On Oct 3, 2011, at 1:49 PM, pet jemen wrote:


Hi,

I want to sign binary data in OpenPGP Message Format.
I want sign it by two or more keys.
According to http://tools.ietf.org/html/rfc4880#section-5.4 it seems it is 
possible.
  (A one-octet number holding a flag showing whether the signature is nested.  
A zero value indicates that the next packet is another One-Pass Signature 
packet that describes another signature to be applied to the same message data.)

I'd like to use gpg from command-line to sign an input file by two keys.
I tried to sign it by:
gpg2.exe --quiet --yes --force-v3-sigs -z 0 -u "test1 
(test1)" -o %1.signed --sign %1
gpg2.exe --quiet --yes --force-v3-sigs -z 0 -u "test2 
(test2)" -o %1.signed2 --sign %1.signed

But the second signature signed the first one also with the first signature.
I need to sign it in way were I can verify signature of signed data by both 
keys (the last octet of One-Pass Signature Packets (Tag 4) packet should be 
equal to zero).

Just repeat -u as many times as you need:

   gpg -u the-first-key -u the-second-key -u the-third-key -u etc --sign thefile

David


Thank you for your advice.

It is exactly what I was looking for.
I've few more questions.

Reason why I want sign files this way is to maintain compatibility and 
add additional signature for verifying.

I'd like to sign file in batch mode this way.

gpg2.exe --batch --quiet --yes --force-v3-sigs -z 0 --s2k-digest-algo 
SHA-1 --passphrase-file %passFile1% -u "t0001 " 
--s2k-digest-algo SHA512 --passphrase-file %passFile2% -u "t0002 
" -o %1.signed --sign %1


It sees that pgp doesn't take password from files if I sign by multiple 
keys.

If I sign files just by one key it works.
Is there a way how to sign file with multiple signatures by two commands 
and to get the same OpenPgp binary format?


Other problem I've noticed when I signed file in non-batch mode is that
I’ve specified to use SHA512 for second signature.
Problem is that the 3rd octed of One-Pass Signature Packetbodyin signed 
file is 0x08 which is sha256 according 
http://tools.ietf.org/html/rfc4880#section-9.4


Any ideas why there isn't 0x0a?

Any help is welcome.

Pavol Misik

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: Why revoke a key?

2011-10-11 Thread Ivan Shmakov
> Jerome Baum  writes:
> On 2011-10-10 23:29, Jan Janka wrote:

 >> How long would it take to execute a successful brute force attack on
 >> a pasphrase consisting of 12 symbols (symbols available on common
 >> keyboards)?

 > Calculate how many combinations there are, assume some number of
 > tries per second (you can experimentally find this out), and there
 > you go.

 > But remember Murphy's(?) law! -- (I mean the one about doubling
 > computer power every 18 months -- are there two Murphy's laws?
 > Confused now...)

That's used to be Moore's [1].

On a second thought, I guess that /both/ of them are to be
considered when it comes to information security.

[1] http://en.wikipedia.org/wiki/Moore's_law

[…]

-- 
FSF associate member #7257


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


unsubscribe

2011-10-11 Thread Sethukumar.R


Sethukumar Ramachandran * Technical Lead * SunGard * Global Services * 
Divyasree Chambers, Langford Road, Bangalore 560025, India
Tel : +91-80- 0501 * Mobile: +91-9980012150 * 
www.sungard.com/sts

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: How to use a GnuPG card on multiple computers?

2011-10-11 Thread Urs Hunkeler

Hi Werner,

Thanks a lot!

Cheers,
Urs


On 10/11/11 11:03 AM, Werner Koch wrote:

On Tue, 11 Oct 2011 09:37, urs.hunke...@epfl.ch said:


gpg to use the card to encrypt my messages. How can I add such stubs
to my keyring on a different computer to point to existing keys on my
card without having to regenerate the keys (which would render the

You insert the card on that other box and enter

$ gpg2 --card-edit

this creates the stub.  To retrieve the public key you may now enter:

gpg/card>  fetch

this uses the URL field of the card to retrieve the key.


Salam-Shalom,

Werner




___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: Why revoke a key?

2011-10-11 Thread Jerome Baum
On 2011-10-10 23:29, Jan Janka wrote:
> 
> How long would it take to execute a successful brute force attack on
> a pasphrase consisting of 12 symbols (symbols available on common
> keyboards)?

Calculate how many combinations there are, assume some number of tries
per second (you can experimentally find this out), and there you go.

But remember Murphy's(?) law! -- (I mean the one about doubling computer
power every 18 months -- are there two Murphy's laws? Confused now...)

You can measure the strength of your password in bits of entropy, which
is basically the log base 2 of the number of combinations. So if there
are 64 possible combinations (a single alphanum case-sensitive
password-ish) then you have 6 bits of entropy. In the diceware FAQ at
www.diceware.com you can find info about how long a password with a
given number of bits is supposed to be secure. Also some tips on how to
pick a memorizable secure passphrase.

> If the attacker only got the passphrase and not the private key, I
> can simply change the passphrase to be secure again. Right? So I'd
> say my key is compromised if I think an attacker got BOTH, the
> passphrase AND the key.

Yes but remember the attacker might get at an old version of your key
that still used the old passphrase.

-- 
Q: What is your secret word?
A: That's right.
Q: What's right?
A: Yes.
Q: Sir, you're going to have to tell me your secret word.
A: What?
Q: I said please tell me your secret word.
A: What?
Q: What's your secret word?
A: Yes.
Q: Sorry, "yes" is not your secret word. You have two more chances.
A: I said what?
Q: Yes.
A: Right, so you admit I said it.
Q: No, you said "yes."
A: No, "what!"
Q: When?
A: When you asked for my secret word!
Q: What?
A: Yes!
Q: I'm sorry, that's incorrect. You have one more chance to say your
secret word.
A: I'd like to speak to your supervisor.
Q: Very well, I'll transfer you. His name is Hu.

(http://boingboing.net/2010/05/03/fun-with-a-banks-sec.html)

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: How to use a GnuPG card on multiple computers?

2011-10-11 Thread Werner Koch
On Tue, 11 Oct 2011 09:37, urs.hunke...@epfl.ch said:

> gpg to use the card to encrypt my messages. How can I add such stubs
> to my keyring on a different computer to point to existing keys on my
> card without having to regenerate the keys (which would render the

You insert the card on that other box and enter

   $ gpg2 --card-edit

this creates the stub.  To retrieve the public key you may now enter:

   gpg/card> fetch

this uses the URL field of the card to retrieve the key.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


How to use a GnuPG card on multiple computers?

2011-10-11 Thread Urs Hunkeler

Hi,

How can I use a GnuPG card on multiple computers?

My understanding is that when I let the card generate the keys, a stub 
for each key pair is automatically added to my keyring and instructs gpg 
to use the card to encrypt my messages. How can I add such stubs to my 
keyring on a different computer to point to existing keys on my card 
without having to regenerate the keys (which would render the card 
unusable for the first computer)?


Thanks,
Urs


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: key selection in batch decryptions

2011-10-11 Thread Werner Koch
On Mon, 10 Oct 2011 23:18, jw72...@verizon.net said:

> keys in turn.  Is there a way to tell gpg to use just one of the keys if
> any?  I have tried specifying this as one of the options "-u userID", but it

No there is no way to do this.

The best suggestion for all automated systems is not to use a
passphrase.  If you really want a passphrase and you require full
control over it you have three choices:

 - Write your own pinentry and send CANCEL back until the desired
   passphrase is requested.  Then send the right passphrase.

 - Write a simple pinentry to always send a CANCEL back (GnuPG 2.1 will
   have an option to emulate this).  The use gpg-preset-passphrase to
   seed gpg-agent with the desired passphrase.

 - Use --status-fd/--command-fd.  These options allow you to
   pass a passphrase to gpg entirely under script control.  They work
   even with GnuPG 1.4.



Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users