Re: Selecting your own key with Enigmail
Am Di 22.10.2013, 23:45:28 schrieb Johan Wevers: > pub 1024D/9E8C5DDF created: 2000-08-11 expires: never usage: SCA > trust: ultimate validity: ultimate > sub 3072g/7A3FE18C created: 2000-08-11 expires: never usage: E > [ultimate] (1). Johan Wevers > [ultimate] (2) Johan Wevers > > Should I put the 7A3FE18C in encrypt-to instead of 9E8C5DDF? No. > When I > encrypt files on the command line with gpg -e it uses the correct key. It seems to me that this is an EnigMail problem and not a gpg problem. Probably you have configured the wrong key there. Hauke -- Crypto für alle: http://www.openpgp-schulungen.de/fuer/bekannte/ OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5 signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: trust your corporation for keyowner identification?
Am Di 22.10.2013, 18:01:46 schrieb Robert J. Hansen: > certificate, you are making an assertion about identity: that, to a > level exceeding your threshold of certainty, Even worse: "exceeding your threshold of certainty in that moment" I am afraid this assessment changes for most users over time (which is not bad per se; the problem is the lack of transparency about that). Thus I demand a standardized scale for that so that we can easily know what the others are talking about. Hauke -- Crypto für alle: http://www.openpgp-schulungen.de/fuer/bekannte/ OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5 signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Selecting your own key with Enigmail
On 22-10-2013 23:38, Hauke Laging wrote: >> I have 2 active keys (a v3 2048 bit RSA and a v3 3072 bit DSA), and when >> I send encrypted mail via Thunderbird 3.1.20 it uses always the RSA keyt >> for encrypt to self but I want to use the other. > > DSA cannot encrypt. I was incomplete, it is a 1024 DSA key with a 3072 bit ElGamal encryption subkey: gpg --edit-key 9e8c5ddf gpg (GnuPG) 1.4.15; Copyright (C) 2013 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Secret key is available. pub 1024D/9E8C5DDF created: 2000-08-11 expires: never usage: SCA trust: ultimate validity: ultimate sub 3072g/7A3FE18C created: 2000-08-11 expires: never usage: E [ultimate] (1). Johan Wevers [ultimate] (2) Johan Wevers Should I put the 7A3FE18C in encrypt-to instead of 9E8C5DDF? When I encrypt files on the command line with gpg -e it uses the correct key. The RSA key is only kept for pgp 2.x compatibility. -- ir. J.C.A. Wevers PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: trust your corporation for keyowner identification?
On 10/22/2013 11:01 AM, Stan Tobias wrote: > But this is not a real identification - almost none of us > has means to confirm an identity, which is a job for a detective. Last time I walked into a courthouse to speak with a judge the marshal asked for my driver's license -- he checked the photograph to make sure it was me, held it up to the light to check for a hologram, then checked the logbook to see if I was an expected visitor. Once he saw my name listed in the logbook he gave my driver's license back and buzzed me in. As far as the U.S. Marshal was concerned, my identity had been proven to a sufficient degree. He certainly didn't conduct a background check on me. (My father and cousin are both judges, if you're wondering why I visit courthouses so often.) That phrase, "to a sufficient degree," is important. You cannot ever verify someone's identity 100%, not even with DNA testing -- it's always possible they have an identical twin, always possible the lab work was sloppy and done in error, etc. What you want to do instead is have a certain level of confidence in someone's identity. For some people, that level of confidence is "this person says they are so-and-so." For other people, that level of confidence is "this person has a passport saying they are so-and-so." OpenPGP is completely silent about what level of confidence you should have for a certification. It only says that when you sign a certificate, you are making an assertion about identity: that, to a level exceeding your threshold of certainty, such-and-such an identifier is an accurate descriptor for the individual or agency who controls the private part of a certificate. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Selecting your own key with Enigmail
Am Di 22.10.2013, 23:21:28 schrieb Johan Wevers: > I have 2 active keys (a v3 2048 bit RSA and a v3 3072 bit DSA), and when > I send encrypted mail via Thunderbird 3.1.20 it uses always the RSA keyt > for encrypt to self but I want to use the other. DSA cannot encrypt. gpg --edit-key 0x12345678 quit shows you the keys' capability flags. Hauke -- Crypto für alle: http://www.openpgp-schulungen.de/fuer/bekannte/ OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5 signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
gpg4win pinentry ignores PIN-pad
Hi, I am using gpg4win 2.2.1, which according to the change log supports the SPR332 PIN-pad, but pinentry requests the PIN from the keyboard. Is there anything I need to configure to enforce the entry from the card reader? In GNU/Linux, pinentry only opens a window telling me to enter the PIN on the card reader and I don't even get the opportunity to enter it from my keyboard by mistake. This is the way I want it. Since I don't know where to start, I attached a log from scdaemon. If you need any additional information, I will be happy to provide it. Have a good time, Martin scdaemon[15820]: chan_0138 -> OK GNU Privacy Guard's Smartcard server ready scdaemon[15820]: chan_0138 <- GETINFO socket_name scdaemon[15820]: chan_0138 -> D C:UsersasdfAppDataRoaminggnupgS.scdaemon scdaemon[15820]: chan_0138 -> OK scdaemon[15820]: chan_0138 <- OPTION event-signal=f8 scdaemon[15820]: chan_0138 -> OK scdaemon[15820]: chan_0138 <- SERIALNO openpgp 2013-10-22 19:53:07 scdaemon[15820] reader slot 0: active protocol: T1 2013-10-22 19:53:07 scdaemon[15820] slot 0: ATR=3B DA 18 FF 81 B1 FE 75 1F 03 00 31 C5 73 C0 01 40 00 90 00 0C 2013-10-22 19:53:07 scdaemon[15820] DBG: send apdu: c=00 i=A4 p1=00 p2=0C lc=2 le=-1 em=0 2013-10-22 19:53:07 scdaemon[15820] DBG: PCSC_data: 00 A4 00 0C 02 3F 00 2013-10-22 19:53:07 scdaemon[15820] DBG: response: sw=6B00 datalen=0 2013-10-22 19:53:07 scdaemon[15820] DBG: send apdu: c=00 i=A4 p1=04 p2=00 lc=6 le=-1 em=0 2013-10-22 19:53:07 scdaemon[15820] DBG: PCSC_data: 00 A4 04 00 06 D2 76 00 01 24 01 2013-10-22 19:53:07 scdaemon[15820] DBG: response: sw=9000 datalen=0 2013-10-22 19:53:07 scdaemon[15820] DBG:dump: 2013-10-22 19:53:07 scdaemon[15820] DBG: send apdu: c=00 i=CA p1=00 p2=4F lc=-1 le=256 em=0 2013-10-22 19:53:07 scdaemon[15820] DBG: PCSC_data: 00 CA 00 4F 00 2013-10-22 19:53:07 scdaemon[15820] DBG: response: sw=9000 datalen=16 2013-10-22 19:53:07 scdaemon[15820] DBG: dump: D2 76 00 01 24 01 02 00 00 05 00 00 04 89 00 00 2013-10-22 19:53:07 scdaemon[15820] AID: D2 76 00 01 24 01 02 00 00 05 00 00 04 89 00 00 2013-10-22 19:53:07 scdaemon[15820] DBG: send apdu: c=00 i=CA p1=5F p2=52 lc=-1 le=256 em=0 2013-10-22 19:53:07 scdaemon[15820] DBG: PCSC_data: 00 CA 5F 52 00 2013-10-22 19:53:07 scdaemon[15820] DBG: response: sw=9000 datalen=10 2013-10-22 19:53:07 scdaemon[15820] DBG: dump: 00 31 C5 73 C0 01 40 05 90 00 2013-10-22 19:53:07 scdaemon[15820] Historical Bytes: 00 31 C5 73 C0 01 40 05 90 00 2013-10-22 19:53:07 scdaemon[15820] DBG: send apdu: c=00 i=CA p1=00 p2=C4 lc=-1 le=256 em=0 2013-10-22 19:53:07 scdaemon[15820] DBG: PCSC_data: 00 CA 00 C4 00 2013-10-22 19:53:07 scdaemon[15820] DBG: response: sw=9000 datalen=7 2013-10-22 19:53:07 scdaemon[15820] DBG: dump: 00 20 20 20 03 00 03 2013-10-22 19:53:07 scdaemon[15820] DBG: send apdu: c=00 i=CA p1=00 p2=6E lc=-1 le=256 em=0 2013-10-22 19:53:07 scdaemon[15820] DBG: PCSC_data: 00 CA 00 6E 00 2013-10-22 19:53:07 scdaemon[15820] DBG: response: sw=9000 datalen=217 2013-10-22 19:53:07 scdaemon[15820] DBG: dump: 4F 10 D2 76 00 01 24 01 02 00 00 05 00 00 04 89 00 00 5F 52 0A 00 31 C5 73 C0 01 40 05 90 00 73 81 B7 C0 0A 7C 00 08 00 08 00 08 00 08 00 C1 06 01 10 00 00 20 00 C2 06 01 10 00 00 20 00 C3 06 01 10 00 00 20 00 C4 07 00 20 20 20 03 00 03 C5 3C CC 19 5D 23 92 34 85 8F E0 25 31 DB A9 F0 CC F3 EA 7E F1 4F 79 C0 D2 34 6E 04 09 AB 89 B5 ED 10 8D 1F 92 D2 4A E6 0B AF 7A F7 D8 1C 32 87 D5 E3 D5 A0 F1 BA 75 29 9B 20 95 6A 3C EC C6 3C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 CD 0C 52 5D 88 A3 52 5D 88 A3 52 5D 88 A3 2013-10-22 19:53:07 scdaemon[15820] DBG: send apdu: c=00 i=CA p1=00 p2=5E lc=-1 le=256 em=0 2013-10-22 19:53:07 scdaemon[15820] DBG: PCSC_data: 00 CA 00 5E 00 2013-10-22 19:53:07 scdaemon[15820] DBG: response: sw=9000 datalen=0 2013-10-22 19:53:07 scdaemon[15820] DBG: dump: 2013-10-22 19:53:07 scdaemon[15820] Version-2 ..: yes 2013-10-22 19:53:07 scdaemon[15820] Get-Challenge ..: yes (2048 bytes max) 2013-10-22 19:53:07 scdaemon[15820] Key-Import .: yes 2013-10-22 19:53:07 scdaemon[15820] Change-Force-PW1: yes 2013-10-22 19:53:07 scdaemon[15820] Private-DOs : yes 2013-10-22 19:53:07 scdaemon[15820] Algo-Attr-Change: yes 2013-10-22 19:53:07 scdaemon[15820] SM-Support .: no 2013-10-22 19:53:07 scdaemon[15820] Max-Cert3-Len ..: 2048 2013-10-22 19:53:07 scdaemon[15820] Max-Cmd-Data ...: 2048 2013-10-22 19:53:07 scdaemon[15820] Max-Rsp-Data ...: 2048 2013-10-22 19:53:07 scdaemon[15820] Cmd-Chaining ...: no 2013-10-22 19:53:07 scdaemon[15820] Ext-Lc-Le ..: yes 2013-10-22 19:53:07 scdaemon[15820] Status Indicator: 05 2013-10-22 19:53:07 scdaemon[15820] GnuPG-No-Sync ..: no 2013-10-22 19:53:07 scdaemon[15820] GnuPG-Def-PW2 ..: no 2013-10-22 19:53:07 scdaemon[15820] DBG: send apdu: c=00 i=CA p1=00 p2=6E l
Selecting your own key with Enigmail
Hello, I have 2 active keys (a v3 2048 bit RSA and a v3 3072 bit DSA), and when I send encrypted mail via Thunderbird 3.1.20 it uses always the RSA keyt for encrypt to self but I want to use the other. I can define rules which keys to use for other recipients but not for myself, at least not where I can find it. I have put the DSA key in gpg.conf in the default-key and encrypt-to sections but that doesn't seem to help. -- ir. J.C.A. Wevers PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: trust your corporation for keyowner identification?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi On Thursday 17 October 2013 at 11:37:35 AM, in , Brian J. Murrell wrote: > On 13-10-16 05:28 PM, MFPA wrote: >> If the key was generated, stored, or used on the >> company's computer, all bets are off regarding Bob >> being the only one with access to a copy. > Why would it be? There is no reason, with this > verification scheme that anyone's private keys (or > public keys for that matter) go anywhere near the > company's computer. > Cheers, b. When you said you would be messaging "bob@corporate.domain" I interpreted that in the context of a discussion about OpenPGP keys to mean you were exchanging encrypted communications with that email address. It appears you probably meant the communication with "bob@corporate.domain" was the out-of-band channel by which you and Bob told each other your OpenPGP key fingerprints, and that being able to send emails from those corporate accounts also doubled as identity verification (because only the individual knows the relevant credentials to send from "their" corporate email address, and the company is required to verify government-issued ID documents when engaging staff). The bit about the employer having to verify people's ID may lead me to accept a corporate ID card as an alternative to government-issued ID. As for use of a corporate email address, could I be sure that Bob locked his computer every time he left his desk? Or that nobody else would ever have access to a written record of Bob's passwords? Or that, in Bob's absence, a substitute would never use Bob's email address when covering his work? - -- Best regards MFPAmailto:expires2...@ymail.com If at first you don't succeed, destroy all evidence that you tried. -BEGIN PGP SIGNATURE- iPQEAQEKAF4FAlJm5sBXFIAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0 N0VDQTAzAAoJEKipC46tDG5pyTID/iiqs8VQquGq9VxkJK2hGhTgksU0GhK4kREm TAjhg1184ls4RNPjUkErlcvaGU3R2FOnIfYUufEz8hV71Qsi/QJ7oMH+/qKWsFZ+ kQVrvzr53UGEF2OOmF6khn6naYX3d1Ueke3Gaq4jUTjlJOhN2VcKTJl8Ayl1aoiJ PWmL07ma =hdmI -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Building pinentry on Windows 7
Hello, I couldn't find any manual for building pinentry executables for Windows (specifically Windows 7/8). Also for Gpg4Win 2 in general. I know it should be cross-compiled, but there is not some up to date manual on internet, or I couldn't find it. Can you please give some detailed instructions on how to do it on Windows 7. Since I am not subsribed to this mailing list, please add me to CC. Best regards, Nikola Radovanovic ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: trust your corporation for keyowner identification?
"Robert J. Hansen" wrote: > > In my proposed scenario, the corporation is doing nothing more than > > providing a means for the participants to know that Bob is actually Bob > > because the company has checked his id and said he is and providing an > > authenticated means (again, IT being a black-hat aside) to communicate > > with Bob and verify fingerprints, etc. > > Under this scenario, the entire thing is dangerously bogus. > > When I sign a certificate, I am sending a message: "I am vouching for > the identity of X." Under your scenario, I'm no longer vouching for > the identity of X. I would instead be saying, "Someone else who is > not listed on this signature has vouched for the identity of X. I am > signing this without any direct personal knowledge of X's identity." > > If you're vouching for X's identity, you need to take positive steps > to verify X's identity. If someone else is vouching for X's identity, > then let them sign X's certificate. Why should you get involved > without doing your own positive verification? I somewhat disagree. I think we deal with two separate problems here: 1. identification of a person, and 2. certification of the key. The latter is about the person claiming use of the key, i.e. you vouch that the person told you "This is my key". Making a certification is *not* a confirmation of an identity. At key-signing parties you "identify" a person by looking into his documents. But this is not a real identification - almost none of us has means to confirm an identity, which is a job for a detective. By looking into someone's documents we only check the person has a title to use a particular name (i.e. is known by this name to others). (The person remains as anonymous as he was before showing his ID.) So my conclusion with regard to the OP's question is that an identification performed by a corporation is good enough to believe that X is X. However, a certification signature by a corporation on X's key (which by itself does not state anything about X's identity) is not enough to know X claims that key - you have to hear it from X himself (in order to leave your certificate). Stan T. P.S.1 I've presented my position as a set of assertions, but I don't mean to stand entirely by their correctness; I humbly await comments. P.S.2 Sorry to be a late-comer to the discussion - initially I had some difficulty to formulate the problem; this is my second writing. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How to add only specified public key from an asc file containing many keys?
On 10/20/2013 10:28 PM, Veet Vivarto wrote: > Hi, > > Please consider this situation. The user has a file containing some > 30 public keys. He/she lists the keys and only wants to import only 2 > of these keys. How can he/she do that? > > Is there a command that allows to specify the keys to import? Also, > would the same method work with adding keys from a public keyring > file? > > Thank you in advance for you assistance. Vivarto If the keys are ASCII armored, I'd just copy the file, and delete the unwanted 28. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users