Re: Using the not-dash-escaped option
On Wed, 1 Feb 2012 21:47, expires2...@rocketmail.com said: I'm not sure that helps me. See below. - --=20\n :-) Sure it does not work if you use Content-Transfer-Encoding: 7bit Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: On message signing and Enigmail...
On Wed, Feb 01, 2012 at 09:26:18PM +, gn...@lists.grepular.com wrote: On 01/02/12 21:12, Doug Barton wrote: I've posted using the same key on probably a dozen mailing lists, I use it for all of my personal and work email. I use it to sign all of the comments on my blog. I use it to sign the front page of my website. There is very definite and obvious value in using the same key in multiple places to establish the connection between your key and your identity. Mailing lists are just another one of these places. The only thing what you're doing proves is that at the time those things were posted someone had control of the secret key, and that the messages weren't altered after they were signed. Beyond that everything is speculation. If you see somebody posting on another list using the same key that I've been using to post on this list, then you know it's the same person. If you come across my website and find the content on it signed by my key, you can connect my postings on this list with my website. And so on. Well, no; what you know is that someone with access to the private key and passphrase did it. If someone steals your private key and passphrase, they no longer uniquely identify you. Signatures can't protect against this form of imposture. But they *can* protect against someone else simply creating another key with the same name in it. Not by themselves. But the impostor, in this case, cannot demonstrate control of your private key, and when challenged, will be shown to be lying if he claims to be the person who controls your key. This still doesn't establish that the person named in the certificate has control of the key, but use of the key to create a signature does create evidence which can be investigated. Someone could visit you in person and ask you to create a recognizable signed object in his presence using the same key. If you can, then you are a person who could have created the other signature. If there is no evidence that anyone else could have created the other signature, then there is good reason to believe that you created it, though this is not proof. Signatures also cannot establish *non*identity, since you could easily have another key and pretend you don't. If the key were somehow produced, you could pretend you don't know the passphrase, and demonstrate this any number of times by typing anything which is *not* the passphrase. This is roughly equivalent to claiming that unsigned objects don't come from you. The pattern that you establish is evidence but not proof. I would like to say that, while proof settles the matter, evidence short of proof often has value. I'm going to continue to sign every email. Besides, I'm too lazy to turn it on and off. :-) -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Asking whether markets are efficient is like asking whether people are smart. pgpZZDLEh2fJe.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GnuPG distribution signature
On Tue, Jan 31, 2012 at 8:15 AM, Werner Koch w...@gnupg.org wrote: On Tue, 31 Jan 2012 00:06, faramir...@gmail.com said: Hello, Is key D869 2123 C406 5DEA 5E0F 3AB5 249B 39D2 4F25 E3B6 ( 0x4F25E3B6 ) the current key used for signing files? I suppose it is, Yes, it is. See my OpenPGP mail header for a list of all my keys and their descriptions. There is a small error in the announcement: gpg --recv-key 4F25E3B6 The distribution key 1CE0C630 is signed by the well known keys It should say gpg --recv-key 4F25E3B6 The distribution key 4F25E3B6 is signed by the well known keys I've long thought that one nightmare scenario for OpenPGP would be an ISP or other network gateway that transparently scanned all data passing through it looking for specific key ids and fingerprints and which silently changed them in webpages, email etc to fraudulent values. I can't imagine that it would be that difficult, and it would be difficult to detect as well as tripping up anyone who relied on well-known keys. N ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: PGP/MIME use
-- Forwarded message -- From: Robert J. Hansen r...@sixdemonbag.org To: gnupg-users@gnupg.org Cc: Date: Wed, 01 Feb 2012 18:12:24 -0500 Subject: Re: PGP/MIME use On 2/1/12 5:53 PM, Hauke Laging wrote: Yes, I'm ignoring Windows, mostly because I have absolutely no idea where to begin estimating GnuPG users on Windows. All I can do is mutter something about wovon man nicht sprechen kann, darüber muß man schweigen and quickly change the subject. :) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 OK, I'm sorry, but when someone drops Wittgenstein—on topic—on a list about cryptography, there needs to be some recognition of that. Well done, sir. - --Avi -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (MingW32) - GPGshell v3.78 Comment: Most recent key: Click show in box @ http://is.gd/4xJrs iL4EAREKAGYFAk8q3clfGGh0dHA6Ly9rZXlzZXJ2ZXIudWJ1bnR1LmNvbS9wa3Mv bG9va3VwP29wPWdldCZoYXNoPW9uJmZpbmdlcnByaW50PW9uJnNlYXJjaD0weDBE NjJCMDE5RjgwRTI5RjkACgkQDWKwGfgOKfkt7AD/XBnefqGl/3Ul2FcghMK6pOwf 8pmkxBiy/EC8qxF8TZIA/RgCgmYwzzERQHFj5X9pQJCX2x7EURV+otSFR+7yWvwK =nc8f -END PGP SIGNATURE- User:Avraham pub 3072D/F80E29F9 1/30/2009 Avi (Wikimedia-related key) avi.w...@gmail.com Primary key fingerprint: 167C 063F 7981 A1F6 71EC ABAA 0D62 B019 F80E 29F9 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Wittgenstein (was Re: PGP/MIME)
On 2/2/12 2:03 PM, Avi wrote: OK, I'm sorry, but when someone drops Wittgenstein—on topic—on a list about cryptography, there needs to be some recognition of that. Oh, Wittgenstein's wonderful. I have a quote from him on a Post-It on my monitor: What makes a subject difficult to understand ... is not that some special instruction about abstruse things is necessary to understand it. Rather it is the contrast between the understanding of the subject and what most people want to see. ... *The things that are most obvious can become the most difficult to understand.* One of the hardest challenges I face with this stuff is figuring out what I want something to be or mean, and then saying okay, now I need to try and prove that wrong, so that along the way I might find out what's right. It's tough, but I've found it to be an effective way of increasing understanding. One of the hardest things in the human situation is discovering what we want and why we want it. Wrestling with it, though, makes us better human beings -- and ultimately better engineers, too. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Using the not-dash-escaped option
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi On Thursday 2 February 2012 at 9:50:34 AM, in mid:874nv9va1h@vigenere.g10code.de, Werner Koch wrote: Sure it does not work if you use Content-Transfer-Encoding: 7bit The message body looks exactly the same in the copy in my sentbox, where the header you cite above says Content-Transfer-Encoding: quoted-printable - -- Best regards MFPAmailto:expires2...@rocketmail.com No man ever listened himself out of a job -BEGIN PGP SIGNATURE- iQCVAwUBTyr2CqipC46tDG5pAQqoUgQAkQMH7/1F2815sAMvRiyKU8CCDAueiIBF EtpczAEOVBVT9EJIBNe96ByQZO0iLKWSEDbAecIraV+k6sWipK1Q6wZc307XacYL bjFgN4PyOQi0C/NEKhslcEcV5aefXqfQi0tFaQixnmbTZm52HGzIo0yvHD4lV9vb c0YdiuOC+nk= =rDAl -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Wittgenstein (was Re: PGP/MIME)
On Thu, 2 Feb 2012, Robert J. Hansen wrote: . . . Oh, Wittgenstein's wonderful. I have a quote from him on a Post-It on my monitor: What makes a subject difficult to understand ... is not that some special instruction about abstruse things is necessary to understand it. Rather it is the contrast between the understanding of the subject and what most people want to see. ... *The things that are most obvious can become the most difficult to understand.* . . . For several years I had the last seven words of the following auf Deutsch painted decoratively by a hot rod artist on the trunk lip of my car. But the only people who ever commented were a German tourist couple in a parking lot once. Ich glaube einen Philosophen, einen der selbst denken kann, koennte es interessieren meine Noten zu lesen. Denn wenn ich auch nur selten in's Schwarze getroffen habe, so wuerde er doch erkennen, nach welchen Zielen ich unablaessig geschossen habe [from the Notebooks, IIRC at this moment] (I believe a philosopher, one who can think for himself, can be interested to read my notes. Then if I even only seldom in the black have shot [ie hit the archery target in center], so would he nevertheless be able to know, at which target I unremittingly have shot.) The idea being that some things are so hard to talk about that you have to work at them bit by bit and hope that the shared continuity can be understood. A little bit like Zen, IMHO. Also like trying to get security ideas across publicly sometimes without saying everything so bluntly that bad guy evesdroppers can easily understand. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Using the not-dash-escaped option
On Thu, Feb 02, 2012 at 08:45:56PM +, MFPA wrote: On Thursday 2 February 2012 at 9:50:34 AM, in mid:874nv9va1h@vigenere.g10code.de, Werner Koch wrote: Sure it does not work if you use Content-Transfer-Encoding: 7bit The message body looks exactly the same in the copy in my sentbox, where the header you cite above says Content-Transfer-Encoding: quoted-printable I think what Werner is saying is to use quoted-printable encoding; then, the space will be represented as =20 (when encoded) and it will be less likely to get eaten by hungry mail-handling tools. -- brian m. carlson / brian with sandals: Houston, Texas, US +1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187 signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Using the not-dash-escaped option
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi On Thursday 2 February 2012 at 9:53:00 PM, in mid:20120202215300.ga6...@crustytoothpaste.ath.cx, brian m. carlson wrote: I think what Werner is saying is to use quoted-printable encoding; then, the space will be represented as =20 (when encoded) and it will be less likely to get eaten by hungry mail-handling tools. I already had/have the option set in my MUA for Transfer-encoding for non-ascii characters in message text set to quoted-printable. The other options are no encoding or base64. - -- Best regards MFPAmailto:expires2...@rocketmail.com To know what we know, and know what we do not know, is wisdom. -BEGIN PGP SIGNATURE- iQCVAwUBTysmnqipC46tDG5pAQqvoAP+JuEkMhULPJang8TV88X/Wd8m4EFLPEEn vKBddYQURsbn4gEOQGF3frjzivJwu1e2xyaTmjDPL5GqP/ON/8irRvkxukbG/7Yz /vO67pigAYdsanSApSHOSNPZkde57vP4zf0d9wRz9LJN04ZffkYkGUHXA4rx/ZQv oHT1jSx772A= =Dsq8 -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
