Re: out-of-key UIDs [was: ADK's]
On Thu, May 04, 2023 at 11:01:36AM +0100, Andrew Gallagher wrote: > > I tried something like this with my MUA, I believe that doesn't work: > > it first looks for appropriate keys, probably using --list-keys; > > in fact, it insists on choosing a single key when multiple ones > > are available. > > Which MUA is this? Mutt. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: out-of-key UIDs [was: ADK's]
On Thu, May 04, 2023 at 09:52:54AM +0100, Andrew Gallagher wrote: > > $ gpg --group fn...@test.eu=BD9D4DEE7B2FF1CBEF2EE0C4E0ACD3E0CBE7874A > > --list-keys fn...@test.eu > > gpg: error reading key: No public key ... > —list-keys doesn’t expand groups. Try this instead: > > > andrewg@serenity % gpg --group > fn...@test.eu=BD9D4DEE7B2FF1CBEF2EE0C4E0ACD3E0CBE7874A -r fn...@test.eu -e < > /etc/shells > shells.gpg > gpg: 0x40F9B9601900E974: There is no assurance this key belongs to the named > user I tried something like this with my MUA, I believe that doesn't work: it first looks for appropriate keys, probably using --list-keys; in fact, it insists on choosing a single key when multiple ones are available. ... > It is NOT certain that the key belongs to the person named > in the user ID. If you *really* know what you are doing, > you may answer the next question with yes. > > Use this key anyway? (y/N) y This is another issue ADK might handle differently---if gpg skipped validation of the donor keys (where ADK subkeys come from), I wouldn't have to certify any UIDs in it. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: out-of-key UIDs [was: ADK's]
On Mon, May 01, 2023 at 03:16:12PM +0100, Andrew Gallagher wrote: > On 1 May 2023, at 12:40, Ineiev via Gnupg-users wrote: > > now, I generate a key > > for y...@guan.edu locally and add 0123456789ABCDEF as an ADK (BTW, > > will GnuPG complain if the only encryption-capable subkey is ADK? > > Or you could just use an alias…? I don't think I fully understand what you mean. $ gpg --group fn...@test.eu=BD9D4DEE7B2FF1CBEF2EE0C4E0ACD3E0CBE7874A --list-keys fn...@test.eu gpg: error reading key: No public key $ gpg --list-keys BD9D4DEE7B2FF1CBEF2EE0C4E0ACD3E0CBE7874A | head -n1 pub rsa2048 2014-10-21 [SC] [expires: 2024-10-17] $ gpg --version | head -n2 gpg (GnuPG) 2.2.41 libgcrypt 1.8.10 signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: ADK's
On Sun, Apr 30, 2023 at 10:52:10PM -0500, Jacob Bachmeyer via Gnupg-users wrote: > > That is an almost prototypical example. In that case, the "archive" key > would actually be the main subkey, and the list recipients' personal keys > would be attached as ADKs. > > Another example: suppose I have multiple hardware tokens and wish to be > able to use them interchangeably, but also want maximal security with this > arrangement, so have generated an encryption keypair on each token. I list > all of the per-token subkeys as ADKs. In this case, the ADKs really would > all be /my/ keys. Again, I would have to publish a new certificate every > time my collection of live tokens changes, which may or may not leak useful > information to an adversary. It looks like the feature will allow for quite unexpected (if not unintended) uses. Another potential use is: I have reasons to believe that the holder of the key 0123456789ABCDEF controls the email y...@guan.edu, but that key has no user ID with such email, and I couldn't validate any other emails in that key. when I'm writing to that email, my MUA will look for keys with user IDs that match it. now, I generate a key for y...@guan.edu locally and add 0123456789ABCDEF as an ADK (BTW, will GnuPG complain if the only encryption-capable subkey is ADK? can I make all self-signatures local in order to avoid sending the key to keyservers?) signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: ADK's
On Sun, Apr 30, 2023 at 05:41:31PM +0200, Johan Wevers via Gnupg-users wrote: > > All I want is an option to ignore adk's - and it should not claim > anything else than that. Can't you remove ADK subkeys from your keyring? signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Key Management - BSI had send private key instead of public key
On Thu, Nov 18, 2021 at 10:48:55AM +0100, Rainer Fiebig via Gnupg-users wrote: > That's kind of a misconception: as English is a western germanic > language it's not that German made its way into English but English is > *based* on German. To be precise, not on German---it's based on the common ancestor. both English and German deviate considerably from it. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: make check -> libgcrypt is too old
On Wed, Nov 10, 2021 at 08:13:18AM +0100, Werner Koch via Gnupg-users wrote: > > Not a good idea. That may break things. It is better to install > libgcrypt and the other libs to /user/local/lib and then set > LD_LIBRARY_PATH accordingly (or fix search order in ld.so.conf). make install usually says, > Libraries have been installed in: ... > If you ever happen to want to link against installed libraries > in a given directory, LIBDIR, you must either use libtool, and > specify the full pathname of the library, or use the `-LLIBDIR' > flag during linking and do at least one of the following: >- add LIBDIR to the `LD_LIBRARY_PATH' environment variable > during execution >- add LIBDIR to the `LD_RUN_PATH' environment variable > during linking >- use the `-Wl,-rpath -Wl,LIBDIR' linker flag >- have your system administrator add LIBDIR to `/etc/ld.so.conf' > > See any operating system documentation about shared libraries for > more information, such as the ld(1) and ld.so(8) manual pages. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users