Re: Two convicted in U.K. for refusal to decrypt data
On 2009-08-13, David SMITH wrote: > So the people who come on gnupg-users asking for help because they've > forgotten their passphrase or accidentally deleted their ~/.gnupg > directory don't exist? > > I guess that's a new way of replying to them: "You don't exist". > > Not forgetting the possibility of malicious intentions - trying to frame > someone by putting encrypted data onto someone's computer and tipping > off the authorities. http://news.zdnet.co.uk/internet/0,100097,2073974,00.htm In a stunt organised by the civil liberties group Stand, The Home Secretary Jack Straw was sent details to a crime Sunday that could earn him up to two years in prison if the controversial e-commerce bill were made law. ... According to Stand an encrypted email was sent to Mr Straw Sunday afternoon containing a confession to a real crime. The key to decrypt the message will be in Mr Straw's name. Stand will tip off the Metropolitan Commissioner of Police Monday, informing him that Mr Straw has important information about a crime. If the e-commerce bill were in place, Straw would be required to hand over the decryption key or face up to two years in prison. "In principle, under the bill, Jack Straw would have to prove he never had the key in the first place. We are hoping this will help him understand that this is unworkable, an intolerable reversal of the burden of proof and against the Human Rights Act," Says Malcolm Hutty, spokesman for Stand. (September 1999) ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Seals
On 2008-11-03, David Shaw wrote: > Rather offtopic, but I read an interesting paper on seals a while back > (I'm afraid I don't recall where offhand). Seals never really assured > confidentiality. A person who wanted to open a letter would just make > a mold of the seal, melt it free, read the letter and then re-make the > seal using the mold. > > The countermeasure was to use multiple colors in the seal so that > melting it free would mix up the colors so the new seal wouldn't look > right. The catch was that you'd have to send a drawing of how the > first seal looked using a different communications channel so the > recipient could compare... Hey, that sounds like a key distribution problem! ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Strange problem with seahorse (and consequently enigmail).
[Note: I posted this to the Ubuntu-users list recently too. Apologies to those who have already seen it.] I have a strange problem with seahorse not working on only one of two Ubuntu computers. The gpg-agent works in the curses-like way when I call gpg in xterm, but seahorse doesn't. (Because seahorse isn't working but Thunderbird enigmail detects the agent running, Enigmail doesn't work either.) The output 'ps aux OT' after logging into GNOME includes these commands (with the same start time, owned by my userid): /usr/bin/gpg-agent --daemon --sh --write-env-file=/home/adam/.gnupg/gpg-agent-info-beetle /usr/bin/seahorse-agent --execute /usr/bin/gnome-session [seahorse-agent] (On the computer that isn't giving me this problem, the first line is the same except for the hostname, but the next line says /usr/bin/seahorse-agent --execute /usr/bin/gnome-session and everything works.) When I try to run 'seahorse-preferences' from a command-line, I get the following errors: ** (seahorse-preferences:11283): CRITICAL **: init_gpgme: assertion `GPG_IS_OK (err)' failed ** (seahorse-preferences:11283): CRITICAL **: seahorse_pgp_source_init: assertion `GPG_IS_OK (err)' failed Segmentation fault I'd be grateful for any suggestions or debugging tips. I'm using gnupg 1.4.8 and the additional packages listed below. I've tried purging and reinstalling most of them. ii gnupg-agent 2.0.7-1 GNU privacy guard - password agent ii gnupg-doc 2003.04.06-6 GNU Privacy Guard documentation ii gnupg2 2.0.7-1 GNU privacy guard - a free PGP replacement ii gpgsm 2.0.7-1 GNU privacy guard - S/MIME version ii gpgv1.4.6-2ubuntu5 GNU privacy guard - signature verification tool ii libgpg-error0 1.4-2ubuntu7 library for common error values and messages in GnuPG components ii libgpgme11 1.1.5-2ubuntu1 GPGME - GnuPG Made Easy ii pgpgpg 0.13-9 Wrapper for using GnuPG in programs designed for PGP ii python-gnupginterface 0.3.2-9ubuntu1 Python interface to GnuPG (GPG) ii seahorse2.22.2-0ubuntu1 A Gnome front end for GnuPG ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Strange problem with seahorse (and consequently enigmail).
I have a strange problem with seahorse not working on only one of two Ubuntu computers. The gpg-agent works in the curses-like way when I call gpg in xterm, but seahorse doesn't. (Because seahorse isn't working but Thunderbird enigmail detects the agent running, Enigmail doesn't work either.) The output 'ps aux OT' after logging into GNOME includes these commands (with the same start time, owned by my userid): /usr/bin/gpg-agent --daemon --sh --write-env-file=/home/adam/.gnupg/gpg-agent-info-beetle /usr/bin/seahorse-agent --execute /usr/bin/gnome-session [seahorse-agent] (On the computer that isn't giving me this problem, the first line is the same except for the hostname, but the next line says /usr/bin/seahorse-agent --execute /usr/bin/gnome-session and everything works.) When I try to run 'seahorse-preferences' from a command-line, I get the following errors: ** (seahorse-preferences:11283): CRITICAL **: init_gpgme: assertion `GPG_IS_OK (err)' failed ** (seahorse-preferences:11283): CRITICAL **: seahorse_pgp_source_init: assertion `GPG_IS_OK (err)' failed Segmentation fault I'd be grateful for any suggestions or debugging tips. I'm using gnupg 1.4.8 and the additional packages listed below. I've tried purging and reinstalling most of them. ii gnupg-agent 2.0.7-1 GNU privacy guard - password agent ii gnupg-doc 2003.04.06-6 GNU Privacy Guard documentation ii gnupg2 2.0.7-1 GNU privacy guard - a free PGP replacement ii gpgsm 2.0.7-1 GNU privacy guard - S/MIME version ii gpgv1.4.6-2ubuntu5 GNU privacy guard - signature verification tool ii libgpg-error0 1.4-2ubuntu7 library for common error values and messages in GnuPG components ii libgpgme11 1.1.5-2ubuntu1 GPGME - GnuPG Made Easy ii pgpgpg 0.13-9 Wrapper for using GnuPG in programs designed for PGP ii python-gnupginterface 0.3.2-9ubuntu1 Python interface to GnuPG (GPG) ii seahorse2.22.2-0ubuntu1 A Gnome front end for GnuPG ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Using gpg-agent like ssh-agent?
I work with ssh-agent using ssh-add from the command line: "ssh-add key0 key1 key2" to activate keys (sometimes with -t to set a time limit), and "ssh-add -d key1" or "ssh-add -D" to deactivate them. Is there a similar way to work with gpg-agent? ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Public key contents
On 2007-04-28, James Moe wrote: > > Hello, > Is is possible to view the contents of a public key file without > importing first? If you want to see the key ID, UIDs and so on that you would be getting if you imported it, try this: $ gpg --import -n -vv FILE -n is also known as --dry-run. HTH. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Local file encryption
On 2007-02-19, John Clizbe wrote: > The passphrase is only one protection on your keypair and it's > pretty much the protection of last resort - given an easily > guessable/brute-forced passphrase, it's "Game-Over." if an attacker > gets access to the keyring files. Another protection is to > physically secure your keyring files (or at the minimum, the secret > ring) by storing it on removable media of some sort: Is there any reason to physically secure your *public* keyring in normal use? (Well, I suppose you might want to hide your secret identity!) ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
(UK-specific) consultation about RIPA
Consultation on the Investigation of Protected Electronic Information under RIPA The Home Office has issued a consultation on a revised draft statutory code of practice on investigation of protected electronic data data, which relates to the exercise and performance of the powers and duties that will arise from the implementation of Part III of the Regulation of Investigatory Powers Act 2000. Part III of the Regulation of Investigatory Powers Act 2000 established powers to impose a requirement upon a person to put protected electronic information into an intelligible form or to disclose a key which will enable the data to be put into an intelligible form. The Government has kept under review the need to implement the provisions in Part III. Over the last two to three years, investigators have begun encountering encrypted and protected data with increasing frequency. This, and the rapidly growing availability of encryption products including the advent of encryption products as integrated security features in standard operating systems, has led the Government to judge that it is now timely to implement the provisions of Part III. Please ensure you read the consultation document which can be found at http://www.homeoffice.gov.uk/documents/cons-2006-ripa-part3/ ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gnupg-agent not working...
On 2006-06-05, Zach Himsel <[EMAIL PROTECTED]> wrote: > > Hello, > I am using Thunderbird with the Enigmail extension. It gets annoying > to me to have to enter in my password every time I want to send a > signed (every email) or encrypted (only some) email. Sure, it saves it > for 5 minutes idle time, but it's not like someone is going to go on > my computer and send emails signed by me as it is a private computer > which only I have access to. In the past I have used the gnupg-agent Under OpenPGP->Preferences->Basic you can set "Remember passphrase for ___ minutes of idle time" to any value up to , which is almost 7 days. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Getting KMail to let me encrypt to an unsigned key?
On 2006-05-16, Werner Koch <[EMAIL PROTECTED]> wrote: > Adam Funk <[EMAIL PROTECTED]> writes: > >> I'm not sure what you mean. Thunderbird (for example) lets the user >> designate unsigned keys for recipients in the address book and encrypt >> to them. > > It is up to the MUA on how to handle this. The generic solution is to > use a local-key signature. > >> Thanks. Will it be possible later either to un-lsign the key or to >> sign it properly (for export)? > > Given that it is a local signature you may simply delete it. Changing > this to an exportable signature is possible simply by "sign"ing it. > gpg will warn you then: > > Do you want to promote it to a full exportable signature? (y/N) Thanks! ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Getting KMail to let me encrypt to an unsigned key?
On 2006-05-16, Werner Koch <[EMAIL PROTECTED]> wrote: > Adam Funk <[EMAIL PROTECTED]> writes: > >> Is there any way to override this restriction? > > It is not a restriction but a requirement. I'm not sure what you mean. Thunderbird (for example) lets the user designate unsigned keys for recipients in the address book and encrypt to them. > If you know that you have the correct key, you only need to locally > sign this key. ("lsign" in gpg --edit-key). Thanks. Will it be possible later either to un-lsign the key or to sign it properly (for export)? ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Getting KMail to let me encrypt to an unsigned key?
On 2006-05-15, Ingo Klöcker <[EMAIL PROTECTED]> wrote: >> (Two apologies: this is slightly off-topic, and I've also posted the >> same question to the debian-user list.) > > You should have tried [EMAIL PROTECTED] :-) I'll try that next, thanks! >> I'm running the Debian kmail 3.3.2-3 package and gpg 1.4.3 compiled >> from the source. >> >> As far as I can tell, it flatly refuses to let me encrypt a message >> to any key that doesn't have a signature chain back to a trusted key. >> I can see the usefulness of a warning about doing this, but I've >> accidentally sent a message unencrypted while trying to find a way >> around the problem. >> >> Is there any way to override this restriction? > > No, but there's a corresponding (and already very old) wish in KDE's bug=20 > tracking system (bugs.kde.org). Would lsign-ing the key circumvent the problem? Would it cause any other problems? ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Getting KMail to let me encrypt to an unsigned key?
(Two apologies: this is slightly off-topic, and I've also posted the same question to the debian-user list.) I'm running the Debian kmail 3.3.2-3 package and gpg 1.4.3 compiled from the source. As far as I can tell, it flatly refuses to let me encrypt a message to any key that doesn't have a signature chain back to a trusted key. I can see the usefulness of a warning about doing this, but I've accidentally sent a message unencrypted while trying to find a way around the problem. Is there any way to override this restriction? ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GPG creates two files?
On 2006-04-22, razzel <[EMAIL PROTECTED]> wrote: > > OK, I use GPG to encrypt a Word file. Everything works out ok, but the result > is always two files: the Word file in plain text and an encrypted version of > the same Word file. Why is GPG creating two files? Should it not just > encrypt my Word file? It *is* encrypting your Word file. The foo.doc file is your unencrypted original, unaltered by GPG, and foo.doc.gpg is the encrypted version. GPG doesn't remove the original because it doesn't know you want to get rid of it (you might only want to send someone the encrypted version) and it doesn't have a built-in way to delete it securely (you need some kind of file-wiping utility, which will depend on your OS). ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: auto-key-locate pka (gpg version 1.4.3)
On 2006-04-10, David Shaw <[EMAIL PROTECTED]> wrote: > No. There is no compile-time question whether enarmor exists or not. > It just exists. If you want a list of all keywords that GnuPG > understands, use "gpg --dump-options". Isn't that an undocumented option too? I've just tried "gpg --help |grep dump" and "man gpg" with a search for dump, and they both find nothing. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: auto-key-locate pka (gpg version 1.4.3)
On 2006-04-10, Alphax <[EMAIL PROTECTED]> wrote: > David Shaw wrote: >> On Sun, Apr 09, 2006 at 06:16:14PM -0400, John A. Martin wrote: "ds" == David Shaw "Re: auto-key-locate pka (gpg version 1.4.3)" Sat, 8 Apr 2006 20:11:48 -0400 >>> ds> This means that the build of GnuPG you has no DNS support (pka >>> ds> and cert require DNS support, and ldap and keyserver don't). >>> >>> Wouldn't it be nice if 'gpg --version' printed a list of the features >>> available in the version supported and not-supported by the >>> executable? >> >> That's a good idea. I'll look at doing that. >> > > Will that also include "undocumented" features like --enarmor? Why is that now undocumented? I'm sure it used to be in the man page. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Best/correct way to back up keys and configuration?
What's the best way to back up my GnuPG keyrings -- just a tar.gz of the ~/.gnupg directory? Or is there any advantage to producing additional files with the "--export" and "--export-secret-keys" commands? (I know that the backups then need to be stored securely.) ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Relying on gpg exit code 0?
Should I be confident about using gpg's return code 0 in a script (run automatically by at or cron) to make encrypted backups? Example: cd /backup/directory tar cf user1.tar /home/user1 gpg -er 0x01234567 user1.tar && rm user1.tar Thanks, Adam ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How to import a secret subkey?
> Date: Tue, 21 Jun 2005 09:11:51 -0400 > From: David Shaw <[EMAIL PROTECTED]> > > > I recently created a new subkey for a keypair that I use on two > > machines, but I cannot get the subkey onto the second machine. I > > have tried gpg --export, --export-secret and --export-secret-subkey > > on the first computer but gpg --import refuses to add the subkey on > > the second one. > > > > How can I do this? > > You can't. GnuPG does not currently support merging secret subkeys. > To do it, you need to delete the secret key on the second machine and > re-import the whole key. That worked. Thanks! I think there used to be a restriction that "gpg --import secretkey.gpg" wouldn't work without setting a special option. Is importing secret keys by accident no longer considered a risk? ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
How to import a secret subkey?
I recently created a new subkey for a keypair that I use on two machines, but I cannot get the subkey onto the second machine. I have tried gpg --export, --export-secret and --export-secret-subkey on the first computer but gpg --import refuses to add the subkey on the second one. How can I do this? Thanks, Adam ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Revocation certificate still valid after changing subkeys?
> It applies to the master key only. You do not need to generate a new > revocation certificate. Revoking the master key takes out all UIDs > and subkeys in one step. That's what I suspected. Thanks, Adam ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Revocation certificate still valid after changing subkeys?
When I created my keypair I dutifully created and safely stored a revocation certificate for it. I recently added a new subkey and revoked the old subkey (as discussed on this list). I've also added and revoked a few UIDs since the key was created. Is there any reason to generate a new revocation certificate? Or does it apply directly to the master key only? Thanks, Adam ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Shouldn't keyservers store and provide subkeys?
Werner Koch wrote: > That keyserver as well as all other servers running the old HKS > software are broken. YOu should move away from that keyserver and use > an SKS one (e.g. random.sks.keyserver.penguin.de) or at least those at > subkeys.pgp.net. Thanks very much for the information. I was not aware of this problem. > BTW, to avoid answering these questions over and over, Sorry! ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Shouldn't keyservers store and provide subkeys?
Following a recent discussion about subkeys, I decided to add a new subkey and revoke the old one on each of my keys (one used at work, one at home). Then I tried to update each machine to have the new public subkeys (using pgp.mit.edu): work $ gpg --send-key WORKKEYID home $ gpg --recv-key WORKKEYID home $ gpg --send-key HOMEKEYID work $ gpg --recv-key HOMEKEYID In both cases, the output of "gpg -v --list-key KEYID" showed that the new subkey had not been added. I had to use --export and --import to get the subkeys transferred in both directions. Is this normal behaviour or did I do something wrong? ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users