using private key on removable media
This is mostly a wishlist comment, I guess: It would be great if gnupg would look at all information (keys) available to it before deciding whether it could perform a given operation. For example, using my key: $ gpg --secret-keyring /media/disk/.gnupg/secring.gpg --list-secret-keys /home/hawke/.gnupg/secring.gpg -- sec# 1024D/51192FF2 2002-03-22 [some subkeys, not including the smartcard ones] /media/disk/.gnupg/secring.gpg -- sec 1024D/51192FF2 2002-03-22 [some subkeys, not including the smartcard ones] sec# 1024D/51192FF2 2002-03-22 [some subkeys] ssb 1024R/4A1C1224 2005-06-27 ssb 1024R/F40CACBA 2005-06-27 ssb 1024R/694C9CA5 2005-06-27 first, when trying to sign a key using this setup, gnupg decides by looking only at the first keyring that 'secret key parts are not available'. even though they are available from the second keyring. second, when trying to use the smartcard keys from the second keyring, gpg decides from the first keyring that those keys are not available either. This is with gnupg 2.0.3. -Alex Mauer hawke -- Bad - You get pulled over for doing 90 in a school zone and you're drunk off your ass again at three in the afternoon. Worse - The cop is drunk too, and he's a mean drunk. FUCK! - A mean drunk that's actually a swarm of semi-sentient flesh-eating beetles. OpenPGP key id: 51192FF2 @ subkeys.pgp.net signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: external pinpad, gnupg, SPR532 PinPad SmartCard Reader
Werner Koch wrote: I am pretty sure that this is a problem of the distribution. The most common problem is that pcscd has been started and thus gained exclusive access to the reader. I'd agree, except that mine is now prompting, and accepting input from the keyboard, for the PIN. That's a symptom of the problem you describe above, correct? The previous pinpad problem I had was that it would prompt to use the pinpad but then would fail after entering the PIN. That's a separate problem, correct? -Alex Mauer hawke -- Bad - You get pulled over for doing 90 in a school zone and you're drunk off your ass again at three in the afternoon. Worse - The cop is drunk too, and he's a mean drunk. FUCK! - A mean drunk that's actually a swarm of semi-sentient flesh-eating beetles. OpenPGP key id: 51192FF2 @ subkeys.pgp.net signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: external pinpad, gnupg, SPR532 PinPad SmartCard Reader
Michael Parker wrote: Hi, I tried to setup an external smartcard reader with a pinpad and on gentoo I don't get it to work. On an ubuntu-installation the pin isn't enterd by the external pinpad but by the regualar keyboard and that works fine. On gentoo I'm asked to enter the pin on the pinpad of the reader. After entering it doesn't find the secret key. For what it's worth, the external pinpad did start to work for me on Ubuntu for awhile. But then I changed something and it stopped (it may have been enabling ssh support in the scdaemon -- I changed a few things and didn't keep track of exactly what it was). So the external pinpad is very very close to working in Ubuntu. -Alex Mauer hawke -- Bad - You get pulled over for doing 90 in a school zone and you're drunk off your ass again at three in the afternoon. Worse - The cop is drunk too, and he's a mean drunk. FUCK! - A mean drunk that's actually a swarm of semi-sentient flesh-eating beetles. OpenPGP key id: 51192FF2 @ subkeys.pgp.net signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: deleting signatures from uids
Peter S. May wrote: I would think that it's important for keyservers to widely distribute the revocation certificates of revoked signatures. Agreed. But it's not important to distribute signatures that have been revoked. If the keyservers simply omitted revoked signatures from search results, how would a client know that this uid was revoked? Because the server could, and presumably would, still distribute revocation signatures, but not the signatures they revoke. Stripping data that isn't particularly useful is a job better left to the client. I disagree. Downloading the data only to discard it is a waste of time and bandwidth. -Alex Mauer hawke -- Bad - You get pulled over for doing 90 in a school zone and you're drunk off your ass again at three in the afternoon. Worse - The cop is drunk too, and he's a mean drunk. FUCK! - A mean drunk that's actually a swarm of semi-sentient flesh-eating beetles. OpenPGP key id: 51192FF2 @ subkeys.pgp.net signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Revokation of keys from smart card
Alex L. Mauer wrote: Is it possible to revoke keys that have been stored on a smart card? It seems to me that it is not. Am I correct, or do I just need to do something other than revkey? Oh right ... my bad on that one (it helps to have the secret key for the primary key on the keyring that's being edited. But perhaps GnuPG should give an error of some kind indicating that it didn't work and why. -- Bad - You get pulled over for doing 90 in a school zone and you're drunk off your ass again at three in the afternoon. Worse - The cop is drunk too, and he's a mean drunk. FUCK! - A mean drunk that's actually a swarm of semi-sentient flesh-eating beetles. OpenPGP key id: 51192FF2 @ subkeys.pgp.net signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OEM key loggers
Atom Smasher wrote: does anyone know if this is true? http://www.chromance.de/wtf/lol.htm if it is... It's not. See http://www.dansdata.com/keyghost.htm for the source of the images, and If you do a search for dept. of homeland security's logo, it is a blue colour circular logo with an eagle in it. The one on the fake letter is a five-pointed star, which is commonly used for Sheriff's office. Source: http://www.boingboing.net/2005/06/16/conspiracy_theory_of.html -- Bad - You get pulled over for doing 90 in a school zone and you're drunk off your ass again at three in the afternoon. Worse - The cop is drunk too, and he's a mean drunk. FUCK! - A mean drunk that's actually a swarm of semi-sentient flesh-eating beetles. gpg/gpg key id: 51192FF2 @ subkeys.pgp.net signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP Smartcard Advantages
Werner Koch wrote: The only thing a malicious host can do is to lock the card (by sending several times a wrong PIN) and to trick you into signing or decrypting data. This just made me think. Wouldn't it thus be trivial [for a malicious host] to destroy a smart card (by sending the wrong admin pin repeatedly)? -Alex Mauer hawke -- Bad - You get pulled over for doing 90 in a school zone and you're drunk off your ass again at three in the afternoon. Worse - The cop is drunk too, and he's a mean drunk. FUCK! - A mean drunk that's actually a swarm of semi-sentient flesh-eating beetles. gpg/gpg key id: 51192FF2 @ subkeys.pgp.net signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP Smartcard Advantages
Jan Niehusmann wrote: I wondered if the card couldn't just erase itself completly when the wrong Admin-PIN is entered three times. This would at least save the card itself, which is worth some euros. But OTOH, just locking the card is probably easier to implement in a safe way (it's an atomic operation which can't be aborted by just turning of power, for example). That's a good idea. I think you could implement it safely, by making the card treat the locked status (zeroed pin retry counter?) as a flag that it should erase itself. Then, when it had erased itself and verified the erasure it could reset the pin retry counter (and possibly reset the admin PIN to default) That way, even if you abort it by turning off power, as soon as you apply power again the card either resumes or restarts the erasure process (depending on which is the best combination of speed and security). It seems to me that this is just as good as becoming permanently locked from a security standpoint, and better from a convenience stand point (if you forget/lose/corrupt the admin PIN, all you have to do is enter it wrong three times.) And in the case of a malicious host, you're better off in that you don't have to shell out for another card. -- Bad - You get pulled over for doing 90 in a school zone and you're drunk off your ass again at three in the afternoon. Worse - The cop is drunk too, and he's a mean drunk. FUCK! - A mean drunk that's actually a swarm of semi-sentient flesh-eating beetles. gpg/gpg key id: 51192FF2 @ subkeys.pgp.net signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Sign my key - Was (no subject)
Francis Gulotta wrote: How do we know it's really yours or that you are really you? I'll accept that this message was signed with it, but by signing you key it means I have no doubt that it really does indeed belong to Dan Mundy. And I've nver met him. I know this is rather controversial, but for a lot of people it doesn't matter if the person really is Dan Mundy, since Dan Mundy is just a string, and doesn't really have any inherent meaning attaching it to a physical entity. You can be *somewhat* sure that if you send an encrypted email to some address, and they respond to its contents, that someone who has access to that mailbox also knows the passphrase to the relevant key. Physically meeting someone doesn't prove that the keyholder hasn't shared the passphrase and private key. If there's a picture UID on the key and it matches the person that you physically meet, it doesn't prove that the person you met has the passphrase to the key, or that they have access to the mailbox associated with the key. With a photo ID, it can prove (to the extent that they have proven it to the ID issuer, i.e. not a whole lot) that the name on the key matches the person you've physically met. But if you interact primarily over the net, that doesn't really matter. There's a major missing link between the email address and the physical person at the meeting. For purposes of network addresses, I mostly couldn't care less if the person who uses the email address [EMAIL PROTECTED] *actually* goes by the name, or is known to some government by the name Dan Mundy. What I do care about is that the same keyholder who signed this message, also signed that one, and I have some basis for believing they both came from the same person. And *that* is the important step. I can build up a level of trust based on the contents of messages signed by that key. If he starts spouting crap that is inconsistent with prior messages, I can lower my trust on the determination that his key has been compromised, or he's gone nuts, or he's changed his mind. But what he's actually named by his parents is totally irrelevant to that. If I was entering into some sort of contract with him, validating the government ID might start to matter so I could enlist some governmental aid in enforcing it, if it became necessary. But the more risk I'm taking in some contract, the less likely I am to trust any middle-men to have verified someone's identity. -- Bad - You get pulled over for doing 90 in a school zone and you're drunk off your ass again at three in the afternoon. Worse - The cop is drunk too, and he's a mean drunk. FUCK! - A mean drunk that's actually a swarm of semi-sentient flesh-eating beetles. gpg/gpg key id: 51192FF2 @ subkeys.pgp.net signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: IBM to Provide Security w/o Sacrificing Privacy Using Hash Functions
Florian Weimer wrote: * Sean C.: The I.B.M. software would convert data on a person into a string of seemingly random characters, using a technique known as a one-way hash function. No names, addresses or Social Security numbers, for example, would be embedded within the character string. For most applications, this is just a speed bump because the search space is rather small. It's even worse for the no-fly list because you have to apply some data reduction first (think SOUNDEX): a lot of the names on them have varying transliteration. Can you expand on this? How could the Name/address/ssn be retrieved from a hash of the same? How would data reduction be necessary? Couldn't everything be represented in Unicode? Of course, that doesn't solve the transliteration problem, but then again it's no different than the status quo in that respect (Alex Mauer != Aleks Mauer) -- Bad - You get pulled over for doing 90 in a school zone and you're drunk off your ass again at three in the afternoon. Worse - The cop is drunk too, and he's a mean drunk. FUCK! - A mean drunk that's actually a swarm of semi-sentient flesh-eating beetles. gpg/gpg key id: 51192FF2 @ subkeys.pgp.net signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
GPG error code with successful signing operation
When GPG is set to use the gpg-agent but the gpg-agent is not available (error message gpg-agent is not available in this session or can't connect to `/path/to/non-existent-pipe': No such file or directory), it produces a fatal error code of 2 even if the passphrase is successfully entered at the prompt. This strikes me as incorrect behavior. -Alex Mauer hawke -- Bad - You get pulled over for doing 90 in a school zone and you're drunk off your ass again at three in the afternoon. Worse - The cop is drunk too, and he's a mean drunk. FUCK! - A mean drunk that's actually a swarm of semi-sentient flesh-eating beetles. gpg/gpg key id: 51192FF2 @ subkeys.pgp.net signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users