How to add authentication capabilities to an existing key?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Is there a good way to add authentication capabilities to an existing RSA key? I see how to toggle it if I create a new subkey but not how to add it to an existing key. Thanks, Anthony - -- Anthony Papillion XMPP/Jabber: cypherp...@patts.us OTR Fingerprint: 4F5CE6C07F5DCE4A2569B72606E5C00A21DA24FA SIP: 17772471...@callcentric.com PGP Key: 0x53B04B15 -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJSLtjIAAoJEAKK33RTsEsVjJEP/0XmQOb07JC07DrorJDlX892 FRGJDvHD/OfKQNAzEhIZFlGBvn844HxvY+CXoOV4cDX6MPNNv/KUvrByoa8C23Hp 2MCWNu4Po+CbV1nLS1FjzATgwGbQb4BdcaH5RxB8mr9BRg2OIQIktFCDi4jWhdPu We1Cq/FN69YduQi1WeGhgbFsMIXBFIBpPYmwaiu1CXJ/31yeqAkcggNkX4zV9jQ/ X2ru3RpZCJRd74tc71GGgIz1O1Y5kKVePyt5YfACe+WHo6f9K+N6oNTB/UQQGIWb 709PY9mKHywRPpQN/Rq1ZXYYWJFR4+Ef2m6ZHgxdUBwkTsXExxvKBBDilluWcokw wHW4ymrZCReeZ2OYeUtMNAYRa3QlmXIMXG07YQ9+EL1jW2aJi7Q+RKbgP8xQ6VMS RIAPuKfgw52z6MRzg1jyiAX4MOb0gxuqdFj+pvwzgGS/x7ePBMaEzVWTpSZRvu72 baGQzKLWMVgFr6QiLJryWBaWV01gXcs3XTK7dpFgZd3YDfuICRr6agX/zSKPxzx1 TFR3K9dEA5f2+8L1P+oFSatV6QnmimvjpM9CVSC6x5bDRmDUh0LelhMLutwVOCrc dglRUD43VTMApPrYeoyH+xchZwpFO9kL7zawxQ6LH9tI5ClbjZm/ed9PnfBBFuyC BETWJAKRTvI/sqvqBn0B =Q7fI -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Problems using 10kbit keys in GnuPG instead of 4kbit keys
On Mon, 9 Sep 2013 21:41, p...@heypete.com said: Werner would change the hard-coded maximum keysize from the current 4096 to, say 8192 (or 15,360 or 16,384) bits so that users who desired As of now I see no reason at all to lift this limit. It is there for a good reason, namely making crypti accessible to all people. There are several problems with overlong encryption keys, to name just two: - If you use an 8k encryption key you should also use an 8k primary certification key because that is the key which is used to keep the parts of an OpenPGP keyblob together. Without that it is easy to slip in another encryption key. Now, 8k RSA signatures are a pain in the registers. It takes too long to verify the hundreds of signatures people have on their keyrings - even on fast machines. - Some MUA decrypt messages on the fly while you are browsing through all the new mails - if that takes too long due to the many 8k keys, it makes the MUA unusable. But thank you, Ole, that you trust our coding capabilities more than the strong math of an 2K RSA key. I am not sure whether this is justified, though. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Problems using 10kbit keys in GnuPG instead of 4kbit keys
- Original Message - From: Werner Koch w...@gnupg.org To: Pete Stephenson p...@heypete.com Cc: GnuPG Users Mailing List gnupg-users@gnupg.org Sent: Tuesday, September 10, 2013 12:07 PM Subject: Re: Problems using 10kbit keys in GnuPG instead of 4kbit keys - Some MUA decrypt messages on the fly while you are browsing through all the new mails - if that takes too long due to the many 8k keys, it makes the MUA unusable. This is only a problem to user who choose to use 8k key, not to anyone else. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
The symmetric ciphers
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I wonder if it would be a good idea to have an option to combine symmetric ciphers, e.g. users could state a preference list like this: TWOFISH+AES256 3DES+BLOWFISH+AES AES 3DES The meaning of A+B would be to encrypt using A first, and then encrypt the result using B with a different key. Assuming it takes effort a to break cipher A and effort b to break cipher b, this should result in effort at least max(a, b) needed to break A+B. And with uncertainity about possible weaknesses in individual ciphers, this seems like a reasonable measure to me. Philipp -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (GNU/Linux) Comment: Using GnuPG with Icedove - http://www.enigmail.net/ iEYEARECAAYFAlIu9f8ACgkQbtUV+xsoLpr7hgCglipmlV07D+wh0ylVgs+7MX1E d+wAnREuQlhGEEg6IbcHXRb+L/d/hIBS =T5GL -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How to add authentication capabilities to an existing key?
Anthony Papillion anth...@cajuntechie.org wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Is there a good way to add authentication capabilities to an existing RSA key? I see how to toggle it if I create a new subkey but not how to add it to an existing key. [snip] Hello Anthony, As far as I know, there is no such capability to do that with gpg. You have to set that capability when you create the key. HTH. Cheers, --Paul ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: The symmetric ciphers
Philipp Klaus Krause p...@spth.de wrote: I wonder if it would be a good idea to have an option to combine symmetric ciphers, e.g. users could state a preference list like this: TWOFISH+AES256 3DES+BLOWFISH+AES AES 3DES The meaning of A+B would be to encrypt using A first, and then encrypt the result using B with a different key. Assuming it takes effort a to break cipher A and effort b to break cipher b, this should result in effort at least max(a, b) needed to break A+B. And with uncertainity about possible weaknesses in individual ciphers, this seems like a reasonable measure to me. You may just prefer to use a key with a larger size and a better password. But if you do want to do this, I am sure that you could write a script or program that could take advantage of GnuPG for this purpose. Cheers, --Paul -- PGP: 0x3DB6D884 PGP Fingerprint: EBA7 88B3 6D98 2D4A E045 A9F7 C7C6 6ADF 3DB6 D884___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How to add authentication capabilities to an existing key?
On Tue, 10 Sep 2013 12:35, free10...@gmail.com said: As far as I know, there is no such capability to do that with gpg. You have to set that capability when you create the key. HTH. Right, you need to change the source to add such a feature. I agree that adding a way to add an authentication capability to a key might make sense in some cases. As soon as this emerges as a real world use case, I am pretty sure it will be added. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How to add authentication capabilities to an existing key?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 09/10/2013 05:35 AM, Paul R. Ramer wrote: Anthony Papillion anth...@cajuntechie.org wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Is there a good way to add authentication capabilities to an existing RSA key? I see how to toggle it if I create a new subkey but not how to add it to an existing key. [snip] Hello Anthony, As far as I know, there is no such capability to do that with gpg. You have to set that capability when you create the key. HTH. Thanks, Paul! I don't really need the feature anyway, I just read about it and figured 'why not? Plus I wanted to investigate what it was for. After the responses from both you and Werner, I'm not that concerned about it. Thanks! Anthony - -- Anthony Papillion XMPP/Jabber: cypherp...@patts.us OTR Fingerprint: 4F5CE6C07F5DCE4A2569B72606E5C00A21DA24FA SIP: 17772471...@callcentric.com PGP Key: 0x53B04B15 -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJSLwtFAAoJEAKK33RTsEsVKgwQAIgMjM8PHI6cunj4YE7afS9e H07YkZ+Jp3JPo9GL/O9Tubs20yjQX/iQ1HdPexAIJdI2uww1S2EN3//JNen97Ypf VVDGfC4SZopy0QkP/UUVJd4sdcqBNoChA8kFhNHcMJg+e698uersLtjLH9CDKH1C x3LAZMdTkdLGYGG3QbQAufF323Cw5Z6WqmABnJVbhZPuFdLyg9cxH8+bHqennBY4 QDV8fI847ct4rLLLlMieY9haMzBc+8ObarLFLG9d5y4Zhke7UvhbQuzzN8HyufT9 use3Xvp2wWqJ5/DBEiehuJsvQ/ZbOCxiRkNaydivBxyS8pMvbKlkXM7Z/iCEcPlM kC/Po5Ft/xQMrkgh87s/+Fmg5JKFvYHFPurOMUY3+ly7k3b97dwcyCFhf9Yw9Mhf ESNQ2VLLAnw2j0PvRJgKhTXUjPFFqrBv6yfEZwSpd0aKq1dG4F3fSK8qlgYVYOa2 HsV+xKJzTWcpfKrvx4Sw4e80+Qv5Pr5cXRhtNPP4FNOw5dy5kvyMt2u6pLmejkNk em53OMWwnvoFWCjFEMaZfVmY1JMtD9KDK5cVxSTbucwte5OmsGZbLb06KKgudrxu z/qMjcT0idb56Fg6yx9/vLfWEoBUMgr2fgpGXerZHZHoxIQjCIQwNiY+HrzupQbJ 5Z4Uexa7L/WQl1yqVvcT =vQti -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Fedora GPG Key Server
On Mon, 9 Sep 2013 15:44, marcio.barb...@gmail.com said: This whole NSA blackmailing situation is causing strange reactions in you, sir. This has nothing to do with the NSA. There are two reasons: I don't like to switch tasks too often. My main way of communication is by mail and I I read and reply to a bunch of mails at once. Switching between Emacs and Conkeror is just disturbing and loading web pages often takes several seconds. Further, I am often offline (think train or hammock in the garden) and thus have no way or incentive to read online stuff. Shalom-Salam, Werner p.s. Right, I am not a digital native. I grew up mostly with analog communication; for example mobile using the SSB “protocol” with an IC202. But to some extend also digital with a T37 for RTTY up in the shack. -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GPG and Outlook revisited
On Mon, 9 Sep 2013 23:38, do...@dougbarton.us said: It's worth noting for sake of argument that the same exact concerns apply to the pre-packaged binaries of GnuPG for Windows. The difference is that it is possible to build it on your own. If you are concerened, please do that. I would be more concerned about all the open source libaries we use - I am not able to check them for backdoors. But at least there is a chance that such a backdoor will be revealed and may even be tracked down to that innocent hackers whos development box has been bugged by a TLA :-( Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Why trust gpg4win?
On Tue, 10 Sep 2013 09:50, ndk.cla...@gmail.com said: First error: USB is *not* a peer protocol. It's master-slave. FireWire is a peer protocol. However, that is implemented by computers at boths ends and the software there may have backdoors or explotable code which coult be used for all kind of tricks. Look only at the trend to use HID as simple driver-less way to connect about anything to a computer. Emulated keyboard which sends ANSI control codes to take over your box without you noticing? You'd be exposed nearly to the same attack vectors. Plus some more (the ones that handle the extra layer), so you'd have to check more code. So what about using that free USB stack for AVR's to implement a flash device? You would be able to audit about everything; flylogic even has these nice pictures of the ATmega88 masks... Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: The symmetric ciphers
On 9/10/2013 6:35 AM, Philipp Klaus Krause wrote: I wonder if it would be a good idea to have an option to combine symmetric ciphers, e.g. users could state a preference list like this: No. This idea gets floated every few years and the answers never change. It's not a good idea. If you look in the list archives you can find some pretty long, detailed writeups on why. Assuming it takes effort a to break cipher A and effort b to break cipher b, this should result in effort at least max(a, b) needed to break A+B. Basically, though, it's this is a naive and unfounded assumption. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Problems using 10kbit keys in GnuPG instead of 4kbit keys
On Tue, Sep 10, 2013 at 3:31 PM, Ole Tange ta...@gnu.org wrote: I have not heard of the primary certification key before. Is it the 'C' in 'usage: SCEA'? Yes. The certification key is used when signing (more properly, certifying) other people's public keys. A signing key can be used for signing files or messages but the certification key is used for signing other people's keys. In short, it's the primary key. Can that be changed without losing signatures on the public key? If so, then the size of that can be increased slowly when needed. Unfortunately not. It is the primary key and its properties (e.g. key length) cannot be changed. Cheers! -Pete ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Why trust gpg4win?
On 10/9/2013 14:19, Werner Koch wrote : However, [USB] is implemented by computers at boths ends and the software there may have backdoors or explotable code which coult be used for all kind of tricks [...] I am shocked! Why was USB constructed that insecure?! On 10/9/2013 14:19, Werner Koch wrote : So what about using that free USB stack for AVR's to implement a flash device? You would be able to audit about everything; flylogic even has these nice pictures of the ATmega88 masks... I don't understand this, what does AVR etc. mean? Is there a substituion for USB? I'd be grateful for an explanation. Kind regards, Jan ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Why trust gpg4win?
On 09/10/13 15:16, Jan wrote: I don't understand this, what does AVR etc. mean? Is there a substituion for USB? I'd be grateful for an explanation. AVR is a semiconductor manufacturer who make microcontrollers (amongst other things). ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
RE: Decrypt Issue
Spoke too soon. The wrong path was part of the problem, but I’m still having the issue: Mainframe calls .bat file that calls C# application that calls second .bat file to call GnuPG to decrypt a file. Once decrypted, other stuff happens, e-mails are sent, blah, blah, blah. Here's the issue: When the mainframe calls the .bat file to start the process, the decryption returns: Decrypt error :gpg: armor header: Version: GnuPG v1.4.9 (AIX) gpg: public key is 07F7097A gpg: encrypted with ELG-E key, ID 07F7097A gpg: decryption failed: secret key not available If I RDP into the server with the credentials specified in the mainframe JCL, I see this from the decrypt: gpg: armor header: Version: GnuPG v1.4.9 (AIX) gpg: public key is 07F7097A gpg: using subkey 07F7097A instead of primary key AB96877A gpg: using subkey 07F7097A instead of primary key AB96877A gpg: encrypted with 2048-bit ELG key, ID 07F7097A, created 2007-05-25 FMCSFTPKey e-mail address gpg: AES256 encrypted data gpg: original file name='DE-ETE-090313' What do I need to do, or have the owners of the encrypted data do, to resolve this? From: Paul R. Ramer [mailto:free10...@gmail.com] Sent: Tuesday, September 10, 2013 12:46 AM To: Diaz, John, A Cc: gnupg-users@gnupg.org Subject: RE: Decrypt Issue Diaz, John, A jd...@azdes.govmailto:jd...@azdes.gov wrote: Paul, got it figured out. Programmer too stupid. The path to gpg.exe had changed, and I didn't catch it. -Original Message- From: Paul R. Ramer [mailto:free10...@gmail.com] Sent: Saturday, September 07, 2013 2:22 PM To: Diaz, John, A Cc: gnupg-users@gnupg.orgmailto:gnupg-users@gnupg.org Subject: Re: Decrypt Issue On 09/04/2013 01:54 PM, Diaz, John, A wrote: Mainframe calls .bat file that calls C# application that calls second .bat file to call GnuPG to decrypt a file. Once decrypted, other stuff happens, e-mails are sent, blah, blah, blah. Here's the issue: When the mainframe calls the .bat file to start the process, the decryption returns: Decrypt error :gpg: armor header: Version: GnuPG v1.4.9 (AIX) gpg: public key is 07F7097A gpg: encrypted with ELG-E key, ID 07F7097A gpg: decryption failed: secret key not available if I list the keys on the server that this is running I see the key listed. Here's the goofy part: If I login to the server with the credentials that the mainframe uses to call the first .bat file, and manually run the .bat file that starts the whole process, it runs correctly. Hello John, When you say that you log in to the server, are you logging into a user account on the server? And do you get a command prompt (i.e. you are ssh-ing into your server)? Cheers, --Paul -- PGP: 0x3DB6D884 PGP Fingerprint: EBA7 88B3 6D98 2D4A E045 A9F7 C7C6 6ADF 3DB6 D884 NOTICE: This e-mail (and any attachments) may contain PRIVILEGED OR CONFIDENTIAL information and is intended only for the use of the specific individual(s) to whom it is addressed. It may contain information that is privileged and confidential under state and federal law. This information may be used or disclosed only in accordance with law, and you may be subject to penalties under law for improper use or further disclosure of the information in this e-mail and its attachments. If you have received this e-mail in error, please immediately notify the person named above by reply e-mail, and then delete the original e-mail. Thank you. Well, I am glad you figured it out. :-) Cheers, --Paul -- Sent from my Android device with K-9 Mail. Please excuse my brevity. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: The symmetric ciphers
On Tue, Sep 10, 2013 at 3:30 PM, Robert J. Hansen r...@sixdemonbag.orgwrote: Assuming it takes effort a to break cipher A and effort b to break cipher b, this should result in effort at least max(a, b) needed to break A+B. Basically, though, it's this is a naive and unfounded assumption. Why? Assuming the Keys are not related (e.g. by creating random keys and then encrypting them both with RSA) this is safer, assuming the attacker can crack one of the two symmetric ciphers but not RSA. If you use the same/related Keys for both encryptions and/or the ciphers don't interact somehow (like when using ROT-13 two times) it is indeed less secure! ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: message digest for signed emails
On 09/10/2013 09:12 AM, Adam Gold wrote: My gpg.conf contains the following lines: default-preference-list SHA512 SHA256 SHA384 SHA224 SHA1 AES256 AES192 AES CAST5 3DES ZLIB BZIP2 ZIP Uncompressed personal-digest-preferences SHA512 SHA256 SHA384 SHA224 SHA1 the lines above look like they indicate your preferences as you describe them. personal-cipher-preferences AES256 AES192 AES CAST5 3DES personal-compress-preferences ZLIB BZIP2 ZIP Uncompressed cert-digest-algo SHA512 s2k-cipher-algo AES256 s2k-digest-algo SHA512 s2k-count 65011712 these lines aren't relevant for data signatures. I appreciate there are some lines there not directly related to email signature message digests but at least lines 1 and 3 should set the default order as specified. If I generate a new key and then check the preferences (--edit-key ID, showpref) it does indeed reflect the above order. However if I send a signed email, it always starts with 'Hash: SHA1'. gpg is not a mail user agent. what are you using to send mail? how is it connected to gpg? Your original message claims: X-Mailer: Microsoft Outlook 15.0 One additional point: if I use --clearsign for a non-email related document, this will employ the SHA512 digest. Why the discrepancy? What do I need to do to change it on my email? You need to provide more details about your mail user agent and how it interacts with GnuPG -- it sounds like the behavior is being introduced there. --dkg signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Upgrading keys to larger than 1024
I have keys that I have used (sparingly) since 2004. This is a 1024 keysize. That keypair has a few signatures through key signing. What is the best approach to upgrading keys to 4096? Is it just create a new keypair and then go to lots of key signing events again (pain), or is there a way to do this with my current keys? TIA Adam -- You back your data up on the same planet? PGP key: 0x7111B833 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Upgrading keys to larger than 1024
On 09/10/2013 12:47 PM, AdamC wrote: I have keys that I have used (sparingly) since 2004. This is a 1024 keysize. That keypair has a few signatures through key signing. What is the best approach to upgrading keys to 4096? Is it just create a new keypair and then go to lots of key signing events again (pain), or is there a way to do this with my current keys? There's no way to directly upgrade if your primary key is weaker than you'd like. You should create a new keypair and go out in the world and meet people who will sign your key. it doesn't have to be a pain :) Ana wrote up some good suggestions about how to do a key transition: http://ekaia.org/blog/2009/05/10/creating-new-gpgkey/ Regards, --dkg signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Should the use of multiple UID per key be discouraged?
On 09/10/2013 03:01 PM, Philipp Klaus Krause wrote: GPG supports the feature of having multiple UIDs per key. However this requires special care of anyone signing such a key. AFAIK, there is no really user-friendly, and definitely no newbie-friendly way to do so. Please try out monkeysign (version 1.0 is in debian testing right now). It targets exactly this problem: http://web.monkeysphere.info/monkeysign/ If you think it is not user-friendly enough, the developers are active and friendly folks, and they would be happy to receive suggestions for new features. Would it be a good idea to discourage people from having multiple UIDs per key, and encourage them to create a separate key per UID instead? I do not think this discouragement would be a good idea, since moving to multiple keys imposes other costs and difficulties. There are good reasons to use separate keys for separate identities (e.g. if you want to have key you can hand over to your job when you leave there, or if you want to operate under a pseudonym). but there are also good reasons to use one key for multiple identities (simpler key management, more direct paths through the WoT for people who know you under one alias or another). There are tradeoffs involved in key and identity management, and people need to be free to make the tradeoffs that make sense for them. Regards, --dkg signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: The symmetric ciphers
On 09/10/2013 11:10 AM, Josef Schneider wrote: Why? Assuming the Keys are not related (e.g. by creating random keys and then encrypting them both with RSA) this is safer, assuming the attacker can crack one of the two symmetric ciphers but not RSA. I repeat my earlier message: If you look in the list archives you can find some pretty long, detailed writeups on why. It takes you about thirty seconds to type a message. To fully answer your question would require me to spend about an hour crafting an answer. Since your question has been answered *at length* in the archives, I'm not going to answer your question. I'm going to refer you to the archives and save myself an hour. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Should the use of multiple UID per key be discouraged?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 GPG supports the feature of having multiple UIDs per key. However this requires special care of anyone signing such a key. AFAIK, there is no really user-friendly, and definitely no newbie-friendly way to do so. IMO this makes it much harder to expand the web of trust. Would it be a good idea to discourage people from having multiple UIDs per key, and encourage them to create a separate key per UID instead? Philipp -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (GNU/Linux) Comment: Using GnuPG with Icedove - http://www.enigmail.net/ iEYEARECAAYFAlIvbIYACgkQbtUV+xsoLpqLAQCgnwIrB/E/Q1tcCyG8GvjvWcOX vU8AoOElrV2BTmFg3P33dLCwvgH7H6p5 =iAg1 -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
RE: message digest for signed emails
-Original Message- From: Daniel Kahn Gillmor [mailto:d...@fifthhorseman.net] Sent: 10 September 2013 15:59 To: Adam Gold Cc: gnupg-users@gnupg.org Subject: Re: message digest for signed emails gpg is not a mail user agent. what are you using to send mail? how is it connected to gpg? Your original message claims: X-Mailer: Microsoft Outlook 15.0 This message was sent using Outlook however my gpg mail is setup in debian wheezy. I was using the thunderbird equivalent but I've switched to mutt with gpg/MIME support as I want to use a console based app. One additional point: if I use --clearsign for a non-email related document, this will employ the SHA512 digest. Why the discrepancy? What do I need to do to change it on my email? You need to provide more details about your mail user agent and how it interacts with GnuPG -- it sounds like the behavior is being introduced there. --dkg To enable gpg support in mutt I copied /usr/share/doc/mutt/examples/gpg.rc to ~/.mutt and then added 'source ~/.mutt/gpg.rc' to the mutt config file. I also added to the config a number of lines as per here: http://pastebin.com/t17HcrCS If I send a mail to myself in mutt I get the following in the received message: === [-- PGP output follows (current time: Tue 10 Sep 2013 18:59:09 BST) --] gpg: Signature made Tue 10 Sep 2013 18:58:08 BST using RSA key ID 00583A4C gpg: Good signature from Adam Gold gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: [ ] [-- End of PGP output --] [-- The following data is signed --] test [-- End of signed data --] = This doesn't show what the hash is so I saved the attached signature.asc file and ran 'gpg -v' against the actual email saved in my email directory. The following was returned: === gpg: Signature made Tue 10 Sep 2013 18:58:08 BST using RSA key ID gpg: using PGP trust model gpg: BAD signature from Adam Gold gpg: textmode signature, digest algorithm SHA1 === I guess the bad signature is because the signature.asc file is not meant to be detached from the email and then checked against the email. However, as you'll see, the digest is still SHA1. Perhaps this is unreliable too but I can't see another way when viewing a signed message in mutt to ascertain the digest. FYI: it mentions here that mutt support SHA2: https://wiki.ubuntu.com/SecurityTeam/GPGMigration I really appreciate you taking the time to look at this. If there is any specific information I have omitted, please let me know. Alternatively if you don't mind, I can send you directly a signed email from my mutt account (I don't want to reveal it publicly) and you could see what digest is being used. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: message digest for signed emails
On 09/10/2013 02:23 PM, Adam Gold wrote: To enable gpg support in mutt I copied /usr/share/doc/mutt/examples/gpg.rc to ~/.mutt and then added 'source ~/.mutt/gpg.rc' to the mutt config file. I also added to the config a number of lines as per here: http://pastebin.com/t17HcrCS If I send a mail to myself in mutt I get the following in the received message: === [-- PGP output follows (current time: Tue 10 Sep 2013 18:59:09 BST) --] gpg: Signature made Tue 10 Sep 2013 18:58:08 BST using RSA key ID 00583A4C gpg: Good signature from Adam Gold gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: [ ] [-- End of PGP output --] [-- The following data is signed --] test [-- End of signed data --] = This doesn't show what the hash is so I saved the attached signature.asc file and ran 'gpg -v' against the actual email saved in my email directory. The following was returned: === gpg: Signature made Tue 10 Sep 2013 18:58:08 BST using RSA key ID gpg: using PGP trust model gpg: BAD signature from Adam Gold gpg: textmode signature, digest algorithm SHA1 === I guess the bad signature is because the signature.asc file is not meant to be detached from the email and then checked against the email. However, as you'll see, the digest is still SHA1. Perhaps this is unreliable too but I can't see another way when viewing a signed message in mutt to ascertain the digest. FYI: it mentions here that mutt support SHA2: https://wiki.ubuntu.com/SecurityTeam/GPGMigration I really appreciate you taking the time to look at this. If there is any specific information I have omitted, please let me know. Alternatively if you don't mind, I can send you directly a signed email from my mutt account (I don't want to reveal it publicly) and you could see what digest is being used. sorry, i don't know much about mutt or how it integrates with gpg. maybe someone else on the list can help you with that, or you could ask on a mailing list that's dedicated to mutt? --dkg signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Why trust gpg4win?
10/9/2013 14:19, Werner Koch wrote : So what about using that free USB stack for AVR's to implement a flash device? You would be able to audit about everything; flylogic even has these nice pictures of the ATmega88 masks... 10/9/2013 16:33, David Smith wrote: AVR is a semiconductor manufacturer who make microcontrollers (amongst other things). Thanks for the answers. Did you refer to the following? http://www.fourwalledcubicle.com/files/LUFA/Doc/120219/html/index.html http://www.flylogic.net/blog/?p=23 How could I implement a flash device? Do you mean I need to take some existing USB device created by AVR and replace its firmware by LUFA or something like that? Could I use that modified USB device on every PC or operation system? Kind regards, Jan ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
