Sirs.
Clearsign not working on new debian install. NisT-P21. encryption/ decryption works. Hej. Yours sincerely Richardh Bostrom___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
No secret key
Sirs and ladie! I received this message when using --clear-sign. gpg: no default secret key: No secret key gpg: clear-sign dialed: No secret key Both my public and private key has been imported. The key was made with a different user (as sudo)The current user is a non-sudo user. Yours truly Richardh Bostrom Sent with [Proton Mail](https://proton.me/) secure email.___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Public Key
Dear sirs and ladies! May I please ask why some 4096 bit keys are longer then others? Richard Stallmans key is much longer then my 4096 bit key. Thank you. Best regards Richardh Bostrom Sent with [Proton Mail](https://proton.me/) secure email.___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Estonian e-residency
Am Dienstag, den 07.02.2017, 11:33 + schrieb Andrew Gallagher: > On 06/02/17 09:37, Richard Ulrich wrote: > > > > So we sometimes resort to keybase.io. There the key is verified by > > some social media. Sure, if the social media profile have existed > > for some years and have some legitimate looking interactions, it is > > a good indicator that its not a face account. But still, I would > > trust a government verification more than social media. > keybase.io is a great idea. But its main use is to tie a PGP key to a > social media account or accounts that act as a surrogate web of trust > (by being referenced in multiple independent places by hopefully > reputable third parties). But if your correspondent's social network > does not overlap with yours, again I'm not sure much value is added. Every piece adds to the probability of the key being valid. > > For example I bought a car last week with Bitcoin. The person that > > handled the payment for the seller was not present, but gave me > > his > > keybase.io user name on the phone. He signed the email containing > > the Bitcoin address for the payments with his GPG key. He didn't > > have any signatures on his key. > I'm not sure I would have the cojones to follow through with this > deal, > signatures or no. ;-) > > > > > In this scenario I'm grateful for every piece of validation to give > > the key more credibility. > In a scenario where you do not know the intermediary, the only > meaningful validation is whether the vendor vouches for both the > intermediary's person and key. The fact that the intermediary > offers you *an* identity doesn't mean you are validating the correct > identity. He is the business partner of the son of the seller. The son was present and wrote the info down for me. > If for example he had given you a key signed by a Russian government > agency, would you have had more confidence? Granted, you like (and > obviously trust to some extent) the Estonian e-ID system. Others > might > not have so much faith. > > Sorry if I'm coming across as a little harsh, but you are proposing > spending hard cash and I'd hate to see you do so and not get your > money's worth. By all means, get an e-ID for the fun, for experiment, > or to start up a company. But signing PGP keys with it is non- > standard, > and it's hard enough to convince most people to verify > keys via standard methods. > > The problem with any PKI (which we still haven't cracked) is that the > motivation to get your key signed is "How do I prove my identity to > others", while the motivation of the person verifying the key is "To > what extent should I trust this person". And unfortunately, the two > questions are far from equivalent. Usually the prove of identity is done with government issued IDs. So the estonian e-residency smart card is not so much different in that regard. Of course it would be better if every country issued something like that to its citizens. And even better if that was compatible with GPG. But until that happens we might have to improvise sometimes. There is also SuisseID somehow similar, but the cost is so high that nobody is interested. Rgds Richard > > A > > ___ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users signature.asc Description: This is a digitally signed message part ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Estonian e-residency
Hi Andrew, of course it is better to directly sign the key. And it is also better if there is a short path in the web of trust. But my use case is for when there is no path at all in the web of trust. Most people I know don't even have a GPG key. And of the ones that have a key, chances are high that they don't have any signatures on it. So we sometimes resort to keybase.io. There the key is verified by some social media. Sure, if the social media profile have existed for some years and have some legitimate looking interactions, it is a good indicator that its not a face account. But still, I would trust a government verification more than social media. For example I bought a car last week with Bitcoin. The person that handled the payment for the seller was not present, but gave me his keybase.io user name on the phone. He signed the email containing the Bitcoin address for the payments with his GPG key. He didn't have any signatures on his key. In this scenario I'm grateful for every piece of validation to give the key more credibility. Rgds Richard Am Donnerstag, den 02.02.2017, 13:42 + schrieb Andrew Gallagher: > On 02/02/17 12:02, Richard Ulrich wrote: > > > > I thought about applying for Estonian e-residency for the sole > > reason of adding credibility to my GPG key. My idea would be to > > sign > > my GPG key with the ID card. This could give people who are not in > > my web of trust a head start. > Which particular people? And a head start at doing what? > > AIUI the e-residency signature is not PGP-compatible, so people will > need to verify it using a separate tool. And once I have verified > your > e-residency signature, what does it mean to me? At best, it tells me > that you are one of possibly many people known to the Estonian > Government as "Richard Ulrich". Unless I have already dealt with you > elsewhere via your Estonian ID, how does this help me? > > What particular problem are you trying to solve? It seems to me that > unless you are going to use your E-identity for some other purpose, > tying your GPG key to it adds little value. You say your sole reason > for applying for e-residency is to add "credibility" to your existing > key. But how is asking the Estonian government to verify your > passport > more credible than producing your passport at a keysigning party? Or > better still, showing it to the actual person you want to talk to? > > Andrew. > > ___ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users signature.asc Description: This is a digitally signed message part ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gnupg website
Hi, On Mon, Jan 30, 2017 at 7:54 AM, Glenn Rempe <gl...@rempe.us> wrote: > I believe all Safari and iOS users are excluded from > gnupg.org without action on the TLS setup. > I can confirm that Safari won't open https://gnupg.org/ on macOS 10.12.3. Very frustrating indeed! Best, Richard ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Proof for a creation date
Hi Bertram, sorry for the late answer. Blockchain was mentioned in some answers, but nothing in concrete. Check this out: https://github.com/opentimestamps Rgds Richard Am Freitag, den 02.12.2016, 03:12 +0100 schrieb Bertram Scharpf: > Hi, > > we all know that kidnappers do publish a picture of their > hostage holding up a todays newpaper. The purpose of this is > to proof that the victim was alive _after_ a certain point > of time. I want to do the opposite. I want to make evidence > that I created a document _before_ a certain point of time. > > I could use self-darkening ink but that won't be reflected > in a JPEG scan and my pen won't make the job that TeX does. > I could sign a newspapers home page but that cannot be > reproduced at a later point of time to verify the signature. > > Is there a standard way in GnuPG and in the keyholder > infrastructure to accomplish this task? > > Thanks in advance. > > Bertram > > signature.asc Description: This is a digitally signed message part ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Terminology - certificate or key ?
On Mon, Oct 3, 2016 at 4:14 PM, Werner Koch <w...@gnupg.org> wrote: > Here are two padlocks: > > > <https://de.wikipedia.org/wiki/Vorh%C3%A4ngeschloss#/media/File:3_Vorhangschloesser.jpg> > > We would call the left one a "normales Vorhangeschloss" (simple > padlock). But the middle one is known as a "Schappschloss" - referring > to the feature that you do not need a key to lock it. Growing up in (East) Germany myself, I've never, ever, heard or read this word before. I always assumed all padlocks would lock without a key, hence be "Schnappschlösser". Never seen or handled anything else. :) But maybe I'm simply too young, the padlock-without-Schnappschloss type appears to be kind of ancient? Cheers, Richard ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GPG and Mailinglists using IBCPRE
Hi, we've been using Schleuder2 for many years now, and it has always worked flawlessly on a medium-traffic mailing list as long as everyone used OpenPGP/MIME. Inline PGP will cause trouble from time to time. Richard ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: managing OpenPGP cards in batch mode?
On Wed, May 4, 2016 at 9:12 PM, Dashamir Hoxhawrote: > I do not advertise, I expess my opinion. Please keep you it to yourself, then. Your provocative, passive-aggressive communication style is outrageous and disrespectful. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
gpg and smartcard on ubuntu 16.04
I didn't read this list for a while, so forgive me if this was discussed before. For many years I have used gpg and gpg-agent with ssh support with an OpenPGP smartcard. On every ubuntu upgrade I had to fiddle a little bit to have gpg-agent act for ssh auth. No big deal usually. But this time, after the usual fiddling, I have it working nicely for ssh and evolution. But now it's the direct usage of gpg on the command line that is giving me a hard time. This aspect always worked out of the box so far. I use the stock versions from the ubuntu 16.04 repository: gnupg 1.4.20-1ubuntu3 gnupg2 2.1.11-6ubuntu2 gnupg-agent 2.1.11-6ubuntu2 scdaemon 2.1.11-6ubuntu2 In ~/.bashrc I terminate gpg-agent if it was started without ssh support, and start it again with: /usr/bin/gpg-agent --daemon --enable-ssh-support > /dev/null Now if I want to decrypt a file: gpg -d Dokumente/somefile.txt.gpg gpg: Anonymer Empfänger; Versuch mit geheimem Schlüssel 0AAA … gpg: pcsc_list_readers failed: unknown PC/SC error code (0x8010002e) gpg: Kartenleser ist nicht vorhanden gpg --use-agent -d Dokumente/somefile.txt.gpg gpg: Anonymer Empfänger; Versuch mit geheimem Schlüssel 0AAA … gpg: pcsc_list_readers failed: unknown PC/SC error code (0x8010002e) gpg: Kartenleser ist nicht vorhanden gpg2 -d Dokumente/somefile.txt.gpg gpg: verschlüsselt mit RSA Schlüssel, ID gpg: Entschlüsselung fehlgeschlagen: Kein geheimer Schlüssel gpg --card-status gpg: pcsc_list_readers failed: unknown PC/SC error code (0x8010002e) gpg: Kartenleser ist nicht vorhanden gpg: OpenPGP Karte ist nicht vorhanden: Allgemeiner Fehler gpg2 --card-status Reader ...: ... Application ID ...: ... Version ..: 2.0 Manufacturer .: ZeitControl All this was never a problem until now. Are there any tricks to get the interfacing with smartcards working smoother again? If I powercycle the smartcard, and kill scdaemon, It will first ask me for the other smart card that contains the master key. If I don't provide this, I could not figure out how to decrypt the file. The only way was to plugin in that other smart card, and have gpg find out that this is not the one we need. Then it asks me to plug in the card that I indeed need. Now I can enter the pin, but strangely in the console, and not the pinentry window. With this awkward workflow I am able to decrypt the file. Rgds Richard ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Single GPG key and multiple yubikeys
Yeah, what I'm hoping to do is be able to carry my card with me and jump on a terminal while traveling and sign and login to things. Peter Lebbing <mailto:pe...@digitalbrains.com> February 25, 2016 at 9:56 AM gpg --delete-secret-keys XXX But don't do this when your primary key is on-disk, only do this when all your secret key material is stubs. Note that it is very impractical to regularly use two smartcards on the same computer because of all this. You should probably stick to using a single smartcard on any single computer. HTH, Peter. Kristian Fiskerstrand <mailto:kristian.fiskerstr...@sumptuouscapital.com> February 25, 2016 at 9:48 AM -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Delete the stubs and do gpg --card-status to learn of the new smartcard - -- - Kristian Fiskerstrand Blog: https://blog.sumptuouscapital.com Twitter: @krifisk - Public OpenPGP key at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - Aquila non capit muscas The eagle does not hunt flies -BEGIN PGP SIGNATURE- iQEcBAEBCgAGBQJWzxQsAAoJECULev7WN52FVoIIAMSkMuc0/v01e9qHYsC7GL+K eVbUBKtZlmOQIhigVs9dU5hXYVMs9kGLDkCmPQJ8M38VzkpELtwOXUiZq7Bm/4rn 5NEvzL+PBbHfYo+yAn5ddhUv/usQP3dxVjKNDAF7vsf7arETiddDcuz3xJ6xdDaJ A3DlqfTAMqzZaOi0iSMMniXcyn/YsMzoB+WXF0FAKzWZQRuh/BOdfV9h/jZTRShe 4WKP26KBwCKViJQGfOzdwIfsSUG54eCh5nL+sMmkBBR942hDQceLcJtw1QRLZc5e 0lZqQrVHciJRSOClL4Tr8T5lp2dlVGVb2QepMfsFZNX1JXVBqkgCnBCId/EIxKQ= =xZws -END PGP SIGNATURE- Richard Genthner <mailto:richard.genth...@wheniwork.com> February 25, 2016 at 9:44 AM How do I delete the stubs with out deleting key? and when I do gpg --card-status never updates the application id. Richard Genthner <mailto:richard.genth...@wheniwork.com> February 25, 2016 at 8:38 AM So I have a single gpg key for work with 3 sub keys. I have copied it to a yubikey nano just fine. Removed the yubi and removed my gpg key and then reimported the gpg key and inserted yubikey number two and did keytocard again for the second yubikey. When ever I do ssh -l git github.com gpg-agent[99732]: chan_10 -> SETDESC Please remove the current card and insert the one with serial number:%0A%0A "D276000124010201000604163260" -- Richard Genthner Sr DevOps Engineer When I Work, Inc. <http://www.wheniwork.com/> St Paul, MN Meet Sam <https://www.youtube.com/watch?v=AQ4NuyrZTPc>orGet a free T-Shirt here. <http://bit.ly/1ENa2Hv><https://www.postbox-inc.com/?utm_source=email_medium=siglink_campaign=reach> ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Single GPG key and multiple yubikeys
How do I delete the stubs with out deleting key? and when I do gpg --card-status never updates the application id. Kristian Fiskerstrand <mailto:kristian.fiskerstr...@sumptuouscapital.com> February 25, 2016 at 9:48 AM -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Delete the stubs and do gpg --card-status to learn of the new smartcard - -- - Kristian Fiskerstrand Blog: https://blog.sumptuouscapital.com Twitter: @krifisk - Public OpenPGP key at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - Aquila non capit muscas The eagle does not hunt flies -BEGIN PGP SIGNATURE- iQEcBAEBCgAGBQJWzxQsAAoJECULev7WN52FVoIIAMSkMuc0/v01e9qHYsC7GL+K eVbUBKtZlmOQIhigVs9dU5hXYVMs9kGLDkCmPQJ8M38VzkpELtwOXUiZq7Bm/4rn 5NEvzL+PBbHfYo+yAn5ddhUv/usQP3dxVjKNDAF7vsf7arETiddDcuz3xJ6xdDaJ A3DlqfTAMqzZaOi0iSMMniXcyn/YsMzoB+WXF0FAKzWZQRuh/BOdfV9h/jZTRShe 4WKP26KBwCKViJQGfOzdwIfsSUG54eCh5nL+sMmkBBR942hDQceLcJtw1QRLZc5e 0lZqQrVHciJRSOClL4Tr8T5lp2dlVGVb2QepMfsFZNX1JXVBqkgCnBCId/EIxKQ= =xZws -END PGP SIGNATURE- -- Richard Genthner Sr DevOps Engineer When I Work, Inc. <http://www.wheniwork.com/> St Paul, MN Meet Sam <https://www.youtube.com/watch?v=AQ4NuyrZTPc>orGet a free T-Shirt here. <http://bit.ly/1ENa2Hv><https://www.postbox-inc.com/?utm_source=email_medium=siglink_campaign=reach> ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Single GPG key and multiple yubikeys
So I have a single gpg key for work with 3 sub keys. I have copied it to a yubikey nano just fine. Removed the yubi and removed my gpg key and then reimported the gpg key and inserted yubikey number two and did keytocard again for the second yubikey. When ever I do ssh -l git github.com gpg-agent[99732]: chan_10 -> SETDESC Please remove the current card and insert the one with serial number:%0A%0A "D276000124010201000604163260" which is the nano. It seems that even killing the gpg-agent and inserting the other yubikey doesn't seem to work. Suggestions? -- Richard Genthner Sr DevOps Engineer When I Work, Inc. <http://www.wheniwork.com/> St Paul, MN Meet Sam <https://www.youtube.com/watch?v=AQ4NuyrZTPc>orGet a free T-Shirt here. <http://bit.ly/1ENa2Hv><https://www.postbox-inc.com/?utm_source=email_medium=siglink_campaign=reach> ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Unsubscription Request (was: Re: How to get your first key signed)
Hello Peter, On Sun, Oct 4, 2015 at 9:55 PM, Peter Lebbing <pe...@digitalbrains.com> wrote: > I personally > find this statement disrespectful to the people who tried to help miss > Lynn, > when she is not very approachable and offers no more explanation as to > why she can't just unsubscribe than the following > you certainly got a point there. My apologies to anyone who may have felt insulted. Nevertheless, it can be extremely hard for a not-so-tech-savvy person to provide a good description of the exact problems they are encountering. A possible explanation for her weak responsiveness could be that she was simply overwhelmed by the amount of (undesired) email flooding her inbox. Who knows. And while I usually always prefer helping people to help themselves (as you and others did), this approach was undoubtedly unfruitful here over the course of several weeks. Remote support can be a very tricky and time-consuming endeavor :) At any rate, thanks to all who were trying to help. Still, I'm hoping some moderator or admin could simply remove her address from the list. Richard ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Unsubscription Request (was: Re: How to get your first key signed)
Hello everyone, On Sat, Oct 3, 2015 at 8:23 PM, Crissy Lynn <misscrissyl...@gmail.com> wrote: > Please! For the 600th time! REMOVE ME FROM THIS MAILING LIST! so for whatever reason, this user is obviously unable to successfully unsubscribe from this mailing list. Will not any of the list admins/moderators have mercy and remove her email address from the list? I find the repeated explanations of how to unsubscribe extremely unhelpful, bordering to disrespect, since it does not provide the kind of help this users needs. You told her "601 times", she somehow failed equally often, is unable to comply, so please HELP her already and remove that email address! Richard ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GnuPG 2.0.27 stable released
[[[ To any NSA and FBI agents reading my email: please consider]]] [[[ whether defending the US Constitution against all enemies, ]]] [[[ foreign or domestic, requires you to follow Snowden's example. ]]] Congratulations on the new release. -- Dr Richard Stallman President, Free Software Foundation 51 Franklin St Boston MA 02110 USA www.fsf.org www.gnu.org Skype: No way! See stallman.org/skype.html. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Help need to use truecryt + openpgp applet.
Hi Ranjini, Does it have to be truecrypt? LUKS works very well with OpenPGP SmartCards or JavaApplets implementing it (e.g. YubiKey NEO). Just follow the steps in this blog post: https://blog.kumina.nl/2010/07/two-factor-luks-using-ubuntu Rgds Richard Am Donnerstag, den 19.02.2015, 13:53 +0530 schrieb Ranjini H.K: Thanks Pete Stephenson. Yes my java card supports PKCS#11. Am not so sure about OpenPGP applet. What should i do othercase To make my OpenPGP applet support PKCS#11. Ranjini HK Software Engineer - Tyfone, Inc. Bangalore www.tyfone.com Mobile: +91-9886262192 On Thu, Feb 19, 2015 at 1:46 PM, Pete Stephenson p...@heypete.com wrote: On Thu, Feb 19, 2015 at 5:53 AM, Ranjini H.K ranjin...@tyfone.com wrote: Hi all, Am trying to implement disk encryption/decryption using truecrypt with security token support. I have a java card with openPGP applet loaded on to it. Inspite of configuring truecrypt to use the security token, its not finding it and notififng me with an error saying : security token error FUNCTION NOT SUPPORTED . Considering the way it was abandoned by its developers, TrueCrypt is probably not the best choice going forward. That said, TrueCrypt only supports smartcards that use PKCS #11 libraries. Does the JavaCard you're using support PKCS #11? Does the OpenPGP applet? -- Pete Stephenson ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users signature.asc Description: This is a digitally signed message part ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: setting env vars for gpg-agent
Hi Werner, So, I replaced my content in .bashrc with yours, but the behavior is still exactly the same. * ssh smartcard auth works accross different terminals. (so the agent must be functional) * evolution signiging works only if started from the terminal, even if I comment out the line : if [ $PS1 ]; then * enigform in firefox doesn't sign the headers. I did not understand the last paragraph with gpg-connect-agent /bye. But since the ssh part is working, I don't think that's necessary. Rgds Richard Am Sonntag, den 14.09.2014, 11:31 +0200 schrieb Werner Koch: On Sat, 13 Sep 2014 22:02, ricu...@gmail.com said: After gpg-agent stopped to work for ssh auth from OpenPGP smartcard after some ubuntu upgrade a while back, I launch it and set the env variables in ~/.bashrc. I suggest to lauch gpg-agent on the fly: Add use-standard-socket to ~/.gnupg/gpg-agent.conf and remove all settings of GPG_AGENT_INFO. I use this in my ~/.bashrc : --8---cut here---start-8--- # If running interactively, then: if [ $PS1 ]; then # Setup information required by GnuPG and ssh. We use the standard # socket in GnuPG's homedir, thus there is no need for an # environment variable. We reset any left over envvar. # SSH_AGENT_PID should not be set either because it is only used to # kill ssh-agent (option -k) but we don't want this to kill # gpg-agent. Because ssh does not know about GnuPG's homedir we # need to set its envvar to gpg-agent's ssh socket. GPG_TTY needs # to be set to the current TTY. The extra test is used to avoid # setting SSH_AUTH_SOCK if gpg-agent has been started with the # shell on the command line (often used for testing). unset GPG_AGENT_INFO unset SSH_AGENT_PID if [ ${gnupg_SSH_AUTH_SOCK_by:-0} -ne $$ ]; then export SSH_AUTH_SOCK=${HOME}/.gnupg/S.gpg-agent.ssh fi fi export GPG_TTY=$(tty) --8---cut here---end---8--- If you want to use gpg-agent's ssh-agent implementaion, you need to make sure that gpg-agent is started (becuase ssh does not know how to start gpg-agent). You may do this with gpg-connect-agent /bye This works since 2.0.16 released 4 years ago. Recent veNote that if you have ~/.gnupg on some remote file system, this may not work. Salam-Shalom, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: setting env vars for gpg-agent
Hi Werner, I just discovered that signing deb packages is not as smooth as before. * If I have an active gpg-agent session, it fails with the following error: clearsign failed: Allgemeiner Fehler * If I reinsert the card, I get thw following : gpg: GPG-Agent ist in dieser Sitzung nicht vorhanden Geben Sie die PIN ein: Then I have to enter the pin twice in the terminal. In all other instances so far it was always in the graphical pinentry dialog. I can verify, that gpg-agent is still running, and still working for ssh. But for regular gpg operation I discovered also other problems: $ gpg -d mhs_paraeasy_ch.txt.gpg gpg: Anonymer Empfänger; Versuch mit geheimem Schlüssel 0xx … Bitte entfernen Sie die Karte und legen stattdessen die Karte mit folgender Seriennummer ein: D27xxx Drücken Sie 'Eingabe' wenn fertig; oder drücken Sie 'c' um abzubrechen: All this worked with the previous content in .bashrc. Rgds Richard Am Montag, den 15.09.2014, 21:17 +0200 schrieb Richard Ulrich: Hi Werner, So, I replaced my content in .bashrc with yours, but the behavior is still exactly the same. * ssh smartcard auth works accross different terminals. (so the agent must be functional) * evolution signiging works only if started from the terminal, even if I comment out the line : if [ $PS1 ]; then * enigform in firefox doesn't sign the headers. I did not understand the last paragraph with gpg-connect-agent /bye. But since the ssh part is working, I don't think that's necessary. Rgds Richard Am Sonntag, den 14.09.2014, 11:31 +0200 schrieb Werner Koch: On Sat, 13 Sep 2014 22:02, ricu...@gmail.com said: After gpg-agent stopped to work for ssh auth from OpenPGP smartcard after some ubuntu upgrade a while back, I launch it and set the env variables in ~/.bashrc. I suggest to lauch gpg-agent on the fly: Add use-standard-socket to ~/.gnupg/gpg-agent.conf and remove all settings of GPG_AGENT_INFO. I use this in my ~/.bashrc : --8---cut here---start-8--- # If running interactively, then: if [ $PS1 ]; then # Setup information required by GnuPG and ssh. We use the standard # socket in GnuPG's homedir, thus there is no need for an # environment variable. We reset any left over envvar. # SSH_AGENT_PID should not be set either because it is only used to # kill ssh-agent (option -k) but we don't want this to kill # gpg-agent. Because ssh does not know about GnuPG's homedir we # need to set its envvar to gpg-agent's ssh socket. GPG_TTY needs # to be set to the current TTY. The extra test is used to avoid # setting SSH_AUTH_SOCK if gpg-agent has been started with the # shell on the command line (often used for testing). unset GPG_AGENT_INFO unset SSH_AGENT_PID if [ ${gnupg_SSH_AUTH_SOCK_by:-0} -ne $$ ]; then export SSH_AUTH_SOCK=${HOME}/.gnupg/S.gpg-agent.ssh fi fi export GPG_TTY=$(tty) --8---cut here---end---8--- If you want to use gpg-agent's ssh-agent implementaion, you need to make sure that gpg-agent is started (becuase ssh does not know how to start gpg-agent). You may do this with gpg-connect-agent /bye This works since 2.0.16 released 4 years ago. Recent veNote that if you have ~/.gnupg on some remote file system, this may not work. Salam-Shalom, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
setting env vars for gpg-agent
After gpg-agent stopped to work for ssh auth from OpenPGP smartcard after some ubuntu upgrade a while back, I launch it and set the env variables in ~/.bashrc. Since then I have to launch evolution from the terminal to have gnupg correctly work with it. But even if I launch firefox from the terminal, it doesn't seem to get the settings for enigform. Where would be a better place for that. The gnupg docs suggest ~/.xsession. But that file didn't exist on my machine, and since unity is not based on X11 I doubth that it is read at all. In fact, I just copied the relevant lines from my .bashrc to .xsession and it didn't work neither for evolution nor for firefox. Also ~/.profile doesn't seem to be the right place, as it just calls .bashrc These are my lines in .bashrc: # If the agent is not already running, start it if ! ps aux | grep -q [e]nable-ssh-support; then /usr/bin/gpg-agent --daemon --enable-ssh-support --write-env-file ${HOME}/.gpg-agent-info /dev/null fi; #And then read info back eval $(cat $HOME/.gpg-agent-info) /dev/null And here is the documentation I was referring to: https://www.gnupg.org/documentation/manuals/gnupg/Invoking-GPG_002dAGENT.html So, where should I put those lines for that firefox receives the correct env vars? Rgds Richard ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
So on so forth
Still waiting for my email address, yet my blackphone is already in my hands. Keep up the good work. I’m not going to bother with 2.1 until the Mac guyz come to their senses about not forking the crypto. Could be a long wait. On 2014-08-14 (226), at 11:57:06, Werner Koch w...@gnupg.org wrote: __outer Hello! I just released the sixth *beta* version of GnuPG *2.1*. It has been released to give you the opportunity to check out new features and to help fixing bugs. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
using different encryption key in evolution
I realize, this question is more related to evolution than gpg directly, but people here might know better than in an evolution mailing list (which I'm not subscribed anyway). Suppose a company has a mail address that is distributed among a group of employees. E.g. if I send a mail to sa...@compa.ny that mail is forwarded to al...@compa.ny and b...@compa.ny. Now I want to send an encrypted mail to sa...@compa.ny, but there is no gpg key to that address. Instead I find keys for some people that will finally get the mail. Is there a way in evolution to explicitly state which encryption keys to use? Judging from the gpg manpage, it could be done on the commandline, but that would be difficult to then send as a regular email, I guess. Rgds Richard signature.asc Description: This is a digitally signed message part ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Order of keys attempted to decrypt
I have my private sub keys on a smart card, and up until recently decrypting was always fine. Then I found out that for signing other people's keys, I need to have the primary private key available. So I put it on a second smart card as described here: http://gnupg.10057.n7.nabble.com/Issues-with-primary-key-amp-subkeys-on-different-smartcards-td32228.html Now decryption still works, but with a small hiccup: $ gpg -d test.txt.gpg gpg: Anonymer Empfänger; Versuch mit geheimem Schlüssel 0AE275A9 … gpg: sending command `SCD PKDECRYPT' to agent failed: ec=6.91 gpg: Anonymer Empfänger; Versuch mit geheimem Schlüssel 8760DB3E … gpg: Alles klar, wir sind der ungenannte Empfänger. gpg: verschlüsselt mit RSA Schlüssel, ID It first tries to decrypt using the primary key. And since the card with the primary key is not plugged in, it outputs an error, before it tries the sub key that succeeds. I tried using the -r option to specify the key to use, but it was seemingly ignored. Is there a way to specify which key to try first? The problem I have at the moment ist that some scripts fail probably because the error that is output. For example, it never reaches line 43 of the following script since I have the stub for the primary key: https://github.com/ulrichard/locally_encrypted_remote_storage/blob/master/open_locally_encrypted_remote_storage.sh Rgds Richard PS: out of curiosity: What does the ID mean in the output from gpg : gpg: verschlüsselt mit RSA Schlüssel, ID signature.asc Description: This is a digitally signed message part ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [Announce] GnuPG launches crowdfunding campaign
As this is about a crypto project, wouldn't it be adequate to accept payments in crypto currencies? Rgds Richard On Don, 2013-12-19 at 11:08 +0100, Werner Koch wrote: GnuPG encryption project launches crowdfunding campaign Today GNU Privacy Guard (GnuPG) has launched its first crowdfunding campaign [1] with the aim of building a new website and long term infrastructure. The 24.000 EUR target will fund: - Fresh web interfaces for gnupg.org including mobile - Completion and release of GnuPG 2.1 - Anonymous Tor network access to the website - A new user friendly download page suitable for all devices - A new server for web services - New pages convening external guides, videos, and handbooks - Facilities for processing recurring donations for long term project support Project founder and Lead Developer Werner Koch said “GnuPG has seen a huge upsurge in popularity following recent state spying revelations. After 16 years of continuous development, we are now asking for community support to capitalise on consumer demand for privacy, and make GnuPG easy to access for mainstream audiences”. GnuPG is one of the few tools remaining above suspicion in the wake of leaked NSA documents. Edward Snowden and his contacts including Bruce Schneier switched to GnuPG when they began handling the secret documents earlier this year [2]. The Wall Street Journal, The Committee to Protect Journalists, and ProPublica [3] have all embraced GnuPG for protection of staff and sources. Phil Zimmermann, original inventor of Pretty Good Privacy (PGP), has also moved to GnuPG in wake of the news. “GnuPG is a key part of modern privacy infrastructure” said Sam Tuke, Campaign Manager, GnuPG. “Millions of users rely on GnuPG to work securely on servers, laptops and smartphones, but 2013 donations totaling 3.000 EUR to date have not even covered fixed costs. Supporting new algorithms like elliptical curve and fixing newfound exploits fast takes a lot of work which is done voluntarily. Now is the time for people to contribute to making GnuPG slick and more sustainable in future”. Jacob Appelbaum, Tor Project developer, added “GnuPG is important - it allows us the assurances we need to do our work. Community funding is a critical part of a confident outlook for GnuPG in future.” For further information, please contact Sam Tuke. Email: samtuke [at] gnupg.org Phone: +49 176 81923811 [1] http://goteo.org/project/gnupg-new-website-and-infrastructure [2] http://www.theguardian.com/world/2013/sep/05/nsa-how-to-remain-secure-surveillance [3] http://www.cjr.org/behind_the_news/hacks_hackers_security_for_jou.php == About GNU Privacy Guard == GnuPG is a leading cryptography app that protects emails and data from interception. It is developed by a community of Free Software engineers led by Werner Koch. GnuPG is used and recommended by the world’s top security experts, including Bruce Schneier and Phil Zimmermann. It offers best in class privacy free of charge and restriction. Hundreds of companies have integrated GnuPG into their products to perform mission critical security, including Red Hat, Deutsche Bahn, and many others. http://gnupg.org signature.asc Description: This is a digitally signed message part ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: UK Guardian newspaper publishes USA NSA papers
On Monday 04 Nov 2013 21:07:01 Julian H. Stacey wrote: http://www.theguardian.com/world/interactive/2013/nov/01/snowden-nsa -files-surveillance-revelations-decoded And in other news... http://slashdot.org/topic/datacenter/google-chief-eric-schmidt-slams-nsa-for-tapping-datacenters/ Google Chief Eric Schmidt Slams NSA. -- Richard https://twitter.com/SleepyPenguin1 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: UK Guardian newspaper publishes USA NSA papers
On Monday 04 Nov 2013 21:07:01 Julian H. Stacey wrote: http://www.theguardian.com/world/interactive/2013/nov/01/snowden-nsa -files-surveillance-revelations-decoded And in other news... http://slashdot.org/topic/datacenter/google-chief-eric-schmidt-slams-nsa-for-tapping-datacenters/ Google Chief Eric Schmidt Slams NSA. I met him in North Korea once. -- Richard https://twitter.com/SleepyPenguin1 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
enable-ssh-support not enabled after upgrade to ubuntu saucy (gpg 1.4.14)
I set up ssh authentication a long time ago according to the second half of this guide (with smartcard): http://www.programmierecke.net/howto/gpg-ssh.html It worked without an issue until I recently upgraded to Ubuntu 13.10. After the upgrade I had to disable the gnome-keyring-ssh and gnome-keyring-gpg as well as ssh-agent again, as I did after previous upgrades. The configuration for enable-ssh-support in ~/.gnupg/gpg-agent.conf was still intact. On another system where the whole stuff still works, ps aux | grep gpg-agent shows only one instance with lots of options: /usr/bin/gpg-agent --daemon --sh --write-env-file=/home/richi/.gnupg/gpg-agent-info-quadulrich /usr/bin/dbus-launch --exit-with-session /usr/bin/im-launch gnome-session --session=ubuntu But on this system, it shows 5 instances 4 with only --daemon and the fifth with an additional --sh. If I type gpg-agent --daemon --enable-ssh-support and execute the output in a terminal, I get an instance that works and handles the ssh key authentication. Is anybody here aware of some changes in this area, and knows how I need to configure my system, to have it as seamless as before? More specifically, what I need to do to have the gpg-agent started with all these options? Rgds Richard ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [Announce] [security fix] GnuPG 1.4.14 released
Werner: No problems. MacBookPro9,1; Mountain Lion OS X 10.8.4 (12E55) Xcode 4.6.3 __outer On 2013-07-25 (206), at 06:26:55, Werner Koch w...@gnupg.org wrote: Hello! We are pleased to announce the availability of a new stable GnuPG-1 release: Version 1.4.14. This is a *security fix* release and all users of GnuPG 2.0 are advised to updated to this version. See below for the impact of the problem. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [Announce] [security fix] Libgcrypt 1.5.3 released
Werner: No problems. MacBookPro9,1; Mountain Lion OS X 10.8.4 (12E55) Xcode 4.6.3 __outer On 2013-07-25 (206), at 05:53:33, Werner Koch w...@gnupg.org wrote: Hello! I am pleased to announce the availability of Libgcrypt version 1.5.3. This is a *security fix* release for the stable branch. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [Announce] GPA 0.9.4 released
-BEGIN PGP SIGNED MESSAGE- w - does the new GPA work with win7-64? or are you still waiting 4funding? On 2013-05-01 (121), at 06:18:43, Werner Koch w...@gnupg.org wrote: __outer -BEGIN PGP SIGNATURE- Version: 10.3.0.8741 wsBVAwUBUYGdRUJrWteExW9jAQGMLwgAurmlVYGmxQpKHso9C4MzjnVeoMnV+6aL nA28FT/TlHHsDEHQZFSTtA9N7976qg08C7rPW7KNqe30eouIO49kLAACPLQDvCL1 vGiCqy36nfMwCnak8HHpFCYkEBHHnuDLClbfqwmi5tR9ucs+/5na2+z3iVPy7ZgU LtNbvxSBcpsBhXwVBJyQf9aKTtdjHAT2QIzGFykVZ3x+a7SBIgCKHybJGsOjvj90 JihR5XU+5PPB2IriUkrUPeEFcQC6JXYzXxwIlISj/toqulTTMrokGRJXHfDeLwmI OVlK3XhCUKwJ2IA/HfyFpZmt2psixMd5rfsWqoSYCLPJBGmMUnbI2g== =Qal0 -END PGP SIGNATURE- Hello! We are pleased to announce GPA version 0.9.4. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [Announce] Libgcrypt 1.5.1 released
Herr Koch: No problems here: Mountain Lion OS X 10.8.3 (12D78), Xcode v4.6.1. Some guidance on how to set up the HMAC256 self-checking correctly might be of assistance. hmac256 is built and installed, but it doesn't seem to be invoked in order to generate the required files. __outer On 2013-03-18 (77), at 12:13:55, Werner Koch w...@gnupg.org wrote: ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.5.1.tar.bz2 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OT: USB key with hardware encryption?
Apparently I just now figured out how to use Google ;) Found two flash drives with built-in encryption pinpad: http://www.lok-it.net/ http://www.corsair.com/usb-drive/flash-padlock-2-usb-drive.html Do you guys have any experience with one of these? Best, Richard ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
OT: USB key with hardware encryption?
Hello, so, it happened again. Since I have neither a scanner nor printer at home, I had to scan and print some important documents (CV, copies of some certificates) at my workplace. Scanned them right onto a USB key, which of course had to be unencrypted and formatted with a FAT file system. When I got back home, the key with all its sensitive data was gone. Probably left it somewhere on the train, I don't know. This is not the first time this has happened to me. I usually encrypt every mass storage device in my possession; but I cannot use full disk encryption software at my workplace because of access restrictions. Also, the standalone scanners require plain FAT, as mentioned earlier. I was wondering whether there are USB flash memory devices available that support some kind of hardware encryption, i.e. maybe some USB key with a keypad, which only exposes a (transparently) decrypted filesystem to the host computer. I am using Linux, OS X, and Windows. Do you have any thoughts and recommendations on this issue? Richard ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: A safe text editor
On 09/05/2012 12:39 AM, antispa...@sent.at wrote: Could you recommend a safe text editor, in the sense it does protect the edited contents in memory, but, most important, on the disk (temp files and such). Having functions to interact with gnupg would be even better. The point is to edit a text and have it all encrypted on disk. I'd like one that goes for .asc instead of .txt. I don't know of a text editor that meets this criteria (granted I haven't done any research), but as for protecting the temporary files, you may want to use disk encryption instead. By using disk encryption, you can ensure that the temporary files are encrypted while you are editing regardless of which editor you use. But as for a text editor that uses protected memory, I don't have a recommendation for you. --Paul ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Changing the email address of a key
When I generated my new private key, I used one of my email addresses. This email address is stored both on the crypto stick (smart card) and in the secring.gpg or pubring.gpg, probably both. Now I would like to use that key with another email address. Is it possible to change the email address of a key, and how would I proceed to have it on the stick and in the gpg stub files? Rgds Richard ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Signing eMails doesn't work anymore
Hi, this is my first post to this list. I have a crypto stick from www.privacyfoundation.de, and when I first set it up, signing emails worked flawlessly. But then I wanted to also be able to use my crypto-stick for ssh authentication. As adding the authentication sub key turned out to be difficult, I generated an entirely new private key with encryption-, signature- and authentication subkeys generated before putting them onto the crypto stick. SSH authentication works nicely now, but with the new key, signing emails always fails. Ecryption and decryption still works. I'm using evolution, but I also tried with thunderbird. The errormessage I get is the same I get when trying to sign something with gpg directly. Could it be that gpg is confused which key to use? #gpg --sign setup_my_system.sh gpg: sending command `SCD PKSIGN' to agent failed: ec=6.18 gpg: Beglaubigung fehlgeschlagen: Allgemeiner Fehler gpg: signing failed: Allgemeiner Fehler #gpg2 --card-status Application ID ...: D276000124010205115F Version ..: 2.0 Manufacturer .: ZeitControl Serial number : 115F Name of cardholder: Richard Ulrich Language prefs ...: de Sex ..: männlich URL of public key : [nicht gesetzt] Login data ...: [nicht gesetzt] Signature PIN : nicht zwingend Key attributes ...: 2048R 2048R 2048R Max. PIN lengths .: 32 32 32 PIN retry counter : 3 0 3 Signature counter : 0 Signature key : 6555 FA9F AEEF 386C 50E2 7AE1 02EC 6014 E840 1492 created : 2012-08-07 19:01:59 Encryption key: 3A6C CF0A C29F 3DFC 60AF DCCE 31AA D811 8760 DB3E created : 2012-08-07 19:00:54 Authentication key: 2C12 F55B 69D3 088E BFD9 C010 BABF AE12 5A09 7EF6 created : 2012-08-07 19:04:12 General key info..: pub 2048R/E8401492 2012-08-07 Richard Ulrich (ulrichard) xx...@gmail.com sec# 2048R/0AE275A9 erzeugt: 2012-08-07 verfällt: 2022-08-05 ssb 2048R/8760DB3E erzeugt: 2012-08-07 verfällt: niemals Kartennummer: 0005 115F ssb 2048R/E8401492 erzeugt: 2012-08-07 verfällt: niemals Kartennummer: 0005 115F ssb 2048R/5A097EF6 erzeugt: 2012-08-07 verfällt: niemals Kartennummer: 0005 115F #gpg2 --list-keys /home/richi/.gnupg/pubring.gpg -- pub 2048R/0AE275A9 2012-08-07 [verfällt: 2022-08-05] uid Richard Ulrich (ulrichard) xx...@gmail.com sub 2048R/8760DB3E 2012-08-07 sub 2048R/E8401492 2012-08-07 sub 2048R/5A097EF6 2012-08-07 sub 2048R/EC980139 2012-08-07 [verfällt: 2022-08-05] Rgds Richard ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Mac OS X 10.8 and OpenPGP Cards
On 27/7/2012 20:12, Kevin Kammer wrote: It has been so long since I had to mess with it (on my mac anyway) that I don't remember. Which libraries do you mean? I never had to install any additional libraries, at least not until 10.7.4. Don't know about ML though :) Richard ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GnuPG 2.0.19 + Cryptostick - decryption fails with 4096 bit key
On Tue, Jun 5, 2012 at 6:43 PM, Mathieu Jolicoeur m...@spoked.ca wrote: On this topic, I have found the following thread on the GPF forums, which lead me back to this list. https://www.privacyfoundation.de/forum/viewtopic.php?f=13t=1145 This could be pretty much the same issue which Edmond and Kevin are experiencing: http://lists.gnupg.org/pipermail/gnupg-users/2012-April/044195.html http://lists.gnupg.org/pipermail/gnupg-users/2012-May/044335.html ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [META] The issue of the unwelcome CC (please email me if you receive a CC from me)
On Wed, Feb 1, 2012 at 06:35, Jerry je...@seibercom.net wrote: I have encounter two individuals, not on this list, who also think it is cute to mail a response directly to the OP and then CC the list. Honestly, some people are alive only because it seems cruel to kill a retard. I've done this before (on this list), but only because I had the impression almost everyone else here did it, so I just wanted to go with what I assumed to be expected. I don't think this makes me look like a retard, but rather considerate, since I tried to figure out what appeared to be the netiquette on this very list before posting anything. But thanks for the clarification anyway. Richard ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Win7: Kleopatra does not open
Hi Roland, On Fri, Oct 21, 2011 at 11:21, Roland Siemons (P) siem...@cleanfuels.nl wrote: On 2 occasions it got working, but gave up a day later. Reinstall some success, and then failure again ... Any suggestions? do you see the Kleopatra process running in the task manager? If it's shown as running, could you look into the task bar? Maybe Kleopatra is hiding as a small tray icon there. Richard ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Expired keys
On Thu, Oct 20, 2011 at 17:23, Jerry gnupg.u...@seibercom.net wrote: Is there a way to delete all expired keys at once Have a look at gpgkeymgr (http://nudin.github.com/GnuPGP-Tools/), that's probably what you want. Best, Richard ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Migrating to Smartcards
On Thu, Sep 1, 2011 at 06:11, Patryk Cisek pat...@debian.org wrote: Or just go ahead and compile it yourself. Unfortunately I only have a 64 Gig hard drive and no space left to install XCode :( ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Migrating to Smartcards
Hello, for security reasons, I have decided to migrate my most important subkeys to smartcards. I have a number of questions regarding the transfer/migration. a) I've bought two OpenPGP smartcards (v2). Their overprint says they support RSA with up to 3072 bit. In the GnuPG 2.0.18 release notes one change was to Allow generation of card keys up to 4096 bit. Does that apply to the OpenPGP v2 card? b) As far as I know, the cards can only store subkeys, i.e. no primary key. That way, only decryption, singing and authenticaion will be possible. If I want to sign other keys, will I have to keep the primary key somewhere safe off-card? c) For convenience, I bought two cards which are supposed to store the same keys. I want to carry one card around with me every day for mobile use (I also bought an SCR3500 reader for that purpose) and leave the other one at home in the card reader on my desk. Now the problem is that the keytocard command can only be issued once, since it deletes the key from the computer. To copy the keys to both cards, I would have to backup my secret keys, insert card #1, issue keytocard, restore the backup, insert card #2, issue keytocard again. Will that cause any problems in later GnuPG use as the cards' IDs are different? Thanks! Richard ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Migrating to Smartcards
On Tue, Aug 30, 2011 at 20:49, David Tomaschik da...@systemoverlord.com wrote: No, you can store a primary key. And you can use the 3 slots for any purpose (though I believe they must all tie to the same primary key.). It would be common to combine signing certification into one key (and I believe that is the default). So it is impossible to use a separate signing subkey if I want to retain the possibility to sign other keys without keeping an off-card backup of the primary key? In the past I switched my singing subkeys every couple of years, keeping my primary key in place. Richard ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Migrating to Smartcards
Hello, On Tue, Aug 30, 2011 at 21:08, David Tomaschik da...@systemoverlord.com wrote: No, I was just stating common practice. You could do a certification/primary key, a signing key, and an encryption key in the 3 slots. are you sure about that? Everywhere I read the slots can only be used for: signing, decryption, authentication. If the signing slot is filled with the primary key, there is no more room for a singing subkey... Richard ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Migrating to Smartcards
Thanks for all your help! I just noticed that on my mobile computer (running Mac OS X) I am still stuck with GnuPG 2.0.17 since MacGPG2 has not yet been updated. I will have to wait for an updated package before I can start moving my keys to smartcards. Best, Richard ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How secure are smartcards?
Hello, On Mon, Jul 25, 2011 at 12:05, Olav Seyfarth o...@enigmail.net wrote: I did so but unfortunately my (old) card broke. So I was busted. To avoid that in the future, I now generated my new key for usage in the card on an offline system (e.g. Live-CD in RAM disk) and copied it on an old small memony card (to allow to easily decrypt by importing the whole key to my keyring after revoking it) which I encrypted differently and physically locked securely. I imported the key to 2 SmartCards while also locking one away as easy backup and another one for daily use. After shutting down the offline system, only the one card is used with computers connected to the net. If this one is lost or stolen, I'd revoke the key (with a rev cert that I also generated separately). would it be sensible to encrypt the key on the memory card key using the encryption key stored on both smartcards? If one smartcard breaks, you could still decrypt the key using the other card. And since the secret key for decryption cannot leave the cards, it would be a pretty secure solution, I guess. :) Richard ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How secure are smartcards?
Whoops, typo: On Sat, Aug 6, 2011 at 12:46, Richard rich...@r-selected.de wrote: would it be sensible to encrypt the key on the memory card key using the encryption key stored on both smartcards? was meant to read: would it be sensible to encrypt the key on the memory card using the encryption key stored on both smartcards? ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How secure are smartcards?
On Fri, Jul 29, 2011 at 02:05, Crypto Stick cryptost...@privacyfoundation.de wrote: For a state-of-the-art smart card like the OpenPGP Card 2, I guess the price tag would be around 100.000 Euros 100.000 as a one-time investment for breaking into an unlimited number of OpenPGP smart cards? If I were a government, I would definitely buy such a machinery... While at the same time, German authorities fail to break GnuPG's encryption for private keys, given a dictionary attack doesn't work out. (See http://annalist.noblogs.org/post/2009/01/04/bka-ratespielchen-rund-um-gnupg/ -- but it's written in German). Hence, one has to assume it's safer to use encrypted harddrives for key storage than a smartcard if one wants to protect their data from German authorities, I guess. Richard ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg-agent automatically use passphrase for signing subkey?
As far as I know every subkey holds its own passphrase (per default, they are all identical for a given primary key). This means that passphrase requests are actually not action-based, but key-based. Please correct me if I'm wrong. :) Richard ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Can version 1.4.11 be configured to use IDEA?
All right, thanks! :) ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Can version 1.4.11 be configured to use IDEA?
Hello, On Tue, Jul 19, 2011 at 03:57, Robert J. Hansen r...@sixdemonbag.org wrote: Is there some particular reason why you send messages in an obfuscated format? how is that working anyway? Apparently GPG automatically decrypted those messages for me. How were they generated? What is that? :) Thanks, Richard ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Establishing new key - key setup recommendations
On 04/15/2011 02:01 PM, Thomas Harning Jr. wrote: I've generated and published a 8192-bit non-expiring RSA 'master' key for signing other keys as well as 2048-bit RSA keys for signing and encryption (expiring in a few years). The master key is protected by I have not had it signed by other users yet and am concerned that I might want to generate a new keyset before I get the 8192-bit key in wide circulation. I have, however, signed tags in my Git source repository with a subkey... so would it make sense to migrate those subkeys (through trickery i've seen)... or would the fact that they are available under the 8192-bit key be a general problem? An 8192-bit key could be incompatible with most OpenPGP software. For that reason I wouldn't recommend it. However, compatibility won't make a difference if you will be the only one using your public key. On the other hand if the key is for communication or code signing, compatibility is important. I believe that 4096 bits would be the largest size that you should use. Just know that if you want to use an OpenPGP smartcard that 3072 bits is currently the largest key size for a key stored on the card (if you use subkeys for encryption, signing, or authentication then the 3072 bits size doesn't apply to the master key). As far as migration is concerned, I don't know what you are referring to. Would you expound on this? Some options I am considering after reading blogs/etc: * Generate RSA 4096-bit master signing key and revoke the 8192-bit key noting that it has been superceded I would recommend this since you want to use the key with other people. In which case, you need compatibility. * Generate DSA 3072-bit master signing key and revoke... (this is well supported, right?) It will work fine for anyone who uses GnuPG, as far as I know, but I don't know about PGP. You'll have to ask about PGP's support 3072-bit DSA keys. But whether you should or shouldn't use a 3072-bit DSA key versus a 4096-bit RSA key is simply personal preference, notwithstanding any compatibility issues, if there is any. * Wait for ECC to be in standard and supported by PGP and GnuPG Don't wait; use cryptography now. There will always be a better solution coming. Just switch when it becomes available. And once again, remember compatiblility. It is fine to switch to ECC when it becomes available, but don't throw away using regular RSA/DSA/Elgamal keys until most everyone else has switched to ECC. * Generate ECC key and keep it alongside my better-supported 8192-bit key until better software support arrives (perhaps keeping both well-signed?) - this implies the ECC public key storage for signing it has been set in stone... Notwithstanding my comments about a 8192-bit key, I would probably do this too after ECC has become available in GnuPG and has been well tested. I would have an ECC key and prefer its use, but have a non-ECC key for those who are still using non-ECC keys. Just know that everything that I have said is just one man's opinion, but the compatibility issue is several men's. Cheers, -Paul -- PGP Key ID: 0x3DB6D884 PGP Fingerprint: EBA7 88B3 6D98 2D4A E045 A9F7 C7C6 6ADF 3DB6 D884 signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: public key not found, but it is there!
On 4/14/11 5:02 PM, Felipe Alvarez wrote: now, whenever I try to encrypt to user alice It fails, saying encryption failed: public key not found The public key is there! But it has a different fingerprint (17D11744). GPG is looking for Alice's Old hash fingerprint (DE0155B3). How can I remedy this? felipe@felipes /cygdrive/C/Program Files/GNU/GnuPG $ felipe@felipes /cygdrive/C/Program Files/GNU/GnuPG $ ./gpg --list-keys C:/Documents and Settings/felipe/Application Data/gnupg\pubring.gpg --- pub 2048R/1A80C23E 2011-04-07 uid Bob Fresh bob.fr...@example.com sub 2048R/402C0B65 2011-04-07 pub 1024D/17D11744 2011-04-14 uid alice fresh alice.fr...@example.net sub 2048g/C2509E95 2011-04-14 felipe@felipes /cygdrive/C/Program Files/GNU/GnuPG $ ./gpg -r alice -e random1 gpg: DE0155B3: skipped: public key not found gpg: random1: encryption failed: public key not found I would suggest looking in your gpg.conf file to see if there is an entry that contains alice. It may be that there is an entry that is like following: group alice=DE0155B3 If that is the case, then specifying alice as a recipient would encrypt to whatever keys are listed in the group alice. Try gpg --list-keys alice to see what response you get. Also, try the following command to encrypt to Alice: gpg -r 17D11744 -e some_file. -Paul -- PGP Key ID: 3DB6D884 PGP Fingerprint: EBA7 88B3 6D98 2D4A E045 A9F7 C7C6 6ADF 3DB6 D884 signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Enquiries about GnuPG
Hello, your questions have already been answered a couple weeks ago, please see the thread at http://lists.gnupg.org/pipermail/gnupg-users/2011-March/040942.html Best, Richard ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg command output language???
On 01/15/2011 11:34 PM, Bo Berglund wrote: It beats me why a program like gpg should detect the keyboard type and change its language like this, language setting should be a volontary change by the user always! Just think how good it would be for an English speaking user to try and use a PC that happened to be set for say a Slovenian keyboard. Not possible to understand the output, right? So how can I change gpg such that it sends its responses in English only? I have checked gpg.conf, but there is no language setting there. The GPG man page gives the following information: Operation is further controlled by a few environment variables: [...] LANGUAGE Apart from its use by GNU, it is used in the W32 version to override the language selection done through the Registry. If used and set to a valid and available language name (langid), the file with the translation is loaded from gpgdir/gnupg.nls/langid.mo. Here gpgdir is the directory out of which the gpg binary has been loaded. If it can't be loaded the Registry is tried and as last resort the native Windows locale system is used. -Paul -- Please use my PGP key when sending me e-mail, if you can. PGP Key ID: 0x3DB6D884 PGP Fingerprint: EBA7 88B3 6D98 2D4A E045 A9F7 C7C6 6ADF 3DB6 D884 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Organizing GPA public key list into favourites groups????
On 01/11/2011 02:12 PM, Bo Berglund wrote: What I did next was to locate the gpg.conf file in AppData in my profile (I am running Windows7 X64). Here I found a text part where it looked like one could add a group specification. So I went ahead and added this line: group developers = 0xDBC3175B 0x9209B308 0x8A51A0EE The entry you made is syntactically correct. If I use GPA to encrypt a file, what happens is exactly like before, I get the unwieldy (not even sorted by name) list of recipients public keys to select from and nowhere at all is there any sight of my developers group! :-( Try clicking on the heading User Name. That will make GPA sort by name rather than key ID. Is there some other application that can be used to encrypt a file with GPG which actually works in Windows 7 X64 and also shows the group? I don't know, I don't use Windows. But check out the list of frontends for GnuPG at http://gnupg.org/related_software/frontends.en.htm. Finally, is it possible to have more than one group in GPG? If so what is the syntax in the conf file? Can there be more than one line starting with group? Yes, you can have more than one group in GPG, and each group entry begins with group some_name=some_identifier (without the quotation marks, of course). The GPG man page gives the following explanation: --group name=value1 Sets up a named group, which is similar to aliases in email pro‐ grams. Any time the group name is a recipient (-r or --recipi‐ ent), it will be expanded to the values specified. Multiple groups with the same name are automatically merged into a single group. The values are key IDs or fingerprints, but any key description is accepted. Note that a value with spaces in it will be treated as two different values. Note also there is only one level of expansion --- you cannot make an group that points to another group. When used from the command line, it may be necessary to quote the argument to this option to prevent the shell from treating it as multiple arguments. Cheers, -Paul -- Please use my PGP key when sending me e-mail, if you can. PGP Key ID: 0x3DB6D884 PGP Fingerprint: EBA7 88B3 6D98 2D4A E045 A9F7 C7C6 6ADF 3DB6 D884 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Organizing GPA public key list into favourites groups????
On 01/12/2011 02:58 PM, Bo Berglund wrote: On Tue, 11 Jan 2011 23:12:48 +0100, Bo Berglund bo.bergl...@gmail.com wrote: Seems like noone can answer this question Cheer up. :-) Sometimes it can take a few days before someone can get you the answer that you need. What I want to do is to encrypt a specific file before sending it as an attachment in an email. I need to encrypt it several times a week after it has been revised because it is a live specification document and it is very tedious to always sift through the long list of keys to select the keys for the development team members... A group would have made life so much easier. What you want to do is easy with the command line, but I don't know about how to do it with GPA. -Paul -- Please use my PGP key when sending me e-mail, if you can. PGP Key ID: 0x3DB6D884 PGP Fingerprint: EBA7 88B3 6D98 2D4A E045 A9F7 C7C6 6ADF 3DB6 D884 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Organizing GPA public key list into favourites groups????
On 01/12/2011 03:42 PM, Bo Berglund wrote: Well, I created a batch file with the command: gpg -r groupname --encrypt filename When I execute this batch file it actually does what I need provided that the file is not open in MS Word. If it is then there is a very strange error message about an illegal argument... Funnily, if I use PGA to encrypt the doc file while MSWord has it open, then encryption works just fine. Is there a gpg option to open the file in read-only mode such that I don't get this error? Could you give us the error message? It may help someone figure out what the issue is. -Paul -- Please use my PGP key when sending me e-mail, if you can. PGP Key ID: 0x3DB6D884 PGP Fingerprint: EBA7 88B3 6D98 2D4A E045 A9F7 C7C6 6ADF 3DB6 D884 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
AUTO: Richard Hamilton is out of the office (returning 01/13/2011)
I am out of the office until 01/13/2011. I am out of the office until Thursday January 13th, 2011. If this is a production problem, please call the solution center at 918-573-2336 or email Bob Olson at robert.ol...@williams.com. I will have limited mail and cell phone access. Note: This is an automated response to your message Re: What is the benefit of signing an encrypted email sent on 1/12/11 9:15:48. This is the only notification you will receive while this person is away.___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Having trouble getting GPG to accept input from a pinpad
On 01/03/2011 02:25 AM, Michel Messerschmidt wrote: Have you tried it with gnupg 2.0.x ? IIRC you need at least 2.0.12 for the SPR-532 pinpad and gnupg-agent should be running. If not, please post more details about your environment and how you execute gnupg. The pinpad works for me, so I guess you will find a way. Good news--it works. Initially, I tried gpg2 (version 2.0.14), but it didn't work. Instead, I got an error message that scdaemon wasn't running. I searched for scdaemon on my system with which scdaemon, but I couldn't find it. But now I can find scdaemon with which scdaemon, and the only thing that has changed has been that I compiled some software, installed some packages, and, just this last evening, performed an update on my system. I hadn't had any success with the pinpad until some time after the update last night. So I don't know what happened to fix my situation (I wish I knew). But thank you to all of you who helped me. You have been a big help. :-) -Paul -- PGP Key ID: 0x3DB6D884 PGP Fingerprint: EBA7 88B3 6D98 2D4A E045 A9F7 C7C6 6ADF 3DB6 D884 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Having trouble getting GPG to accept input from a pinpad
On 01/02/2011 05:32 AM, Simon Josefsson wrote: I am using an OpenPGP v2 card with an SCM SPR-532 smartcard reader, and I can't get GPG to take a PIN from the pinpad instead of the keyboard. When I run gpg --card-edit followed by any command that requires a PIN or Admin PIN, I get a password dialog box from pinentry, but I can only enter the PIN via a keyboard. IIRC the on-device PIN entry is only used for signing operations, not admin stuff -- so try proceeding anyway and then try signing. This kind of harms the point of having a on-device PIN entry, but it is still possible to setup the card on a secure machine and then use it in other environments. I'm using a SPR-532 too with GnuPG on Mac for SSH authentication, and I enter the PIN on the SPR-532 just fine. Unfortunately, GPG isn't taking input from the pinpad regardless of what operations I am performing--signing, decrypting, change card information. This behavior is true of both the PIN and the Admin PIN. Everything else that I have done so far with my OpenPGP v2 card works. So I have no issues there. Things such as generating a key, changing card information, decrypting and signing e-mail work without any trouble. I'll gladly answer any questions about my setup or tools or run different stuff to debug this situation. I just want to start using my pinpad. :-) -Paul -- PGP Key ID: 0x3DB6D884 PGP Fingerprint: EBA7 88B3 6D98 2D4A E045 A9F7 C7C6 6ADF 3DB6 D884 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Having trouble getting GPG to accept input from a pinpad
Hi, I am using an OpenPGP v2 card with an SCM SPR-532 smartcard reader, and I can't get GPG to take a PIN from the pinpad instead of the keyboard. When I run gpg --card-edit followed by any command that requires a PIN or Admin PIN, I get a password dialog box from pinentry, but I can only enter the PIN via a keyboard. I have followed the GnuPG Smartcard HOWTO, including setting up the udev rules and creating and adding my user account to the scard group. According to this post at http://lists.gnupg.org/pipermail/gnupg-users/2010-November/039845.html, using the pinpad of my card reader should work (except when it doesn't ;-)). I don't have pcsc-lite installed. I am using GnuPG 1.4.10 (but also have GnuPG 2.0.14 installed) and am running it on top of Ubuntu 10.04. The versions of GnuPG that I have are what was available through my package manager. Thanks in advance for any help you can provide. -Paul -- PGP Key ID: 0x3DB6D884 PGP Fingerprint: EBA7 88B3 6D98 2D4A E045 A9F7 C7C6 6ADF 3DB6 D884 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
AUTO: Richard Hamilton is out of the office (returning 01/03/2011)
I am out of the office until 01/03/2011. I am out of the office until Monday January 3rd, 2011. If this is a production problem, please call the solution center at 918-573-2336 or email Bob Olson at robert.ol...@williams.com. I will have limited mail and cell phone access. Note: This is an automated response to your message Re: Is self-signing necessary? Basic questions. sent on 1/2/11 12:43:27. This is the only notification you will receive while this person is away.___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: verify signature from Windows and Ubuntu does not work
Sat, 20 Nov 2010 09:07:13 +0100, Mike wrote: I use IMAP for my mailbox and I am accessing this from Win/Outlook and Ubuntu/Evolution. When I get an email and I access it first with Outlook, then I can not verify the signature anymore in Ubuntu as the whole email got detached into a separate attachment. How can I resolve this? I could not find any options in gpg4win or kleopatra. When you say that the e-mail got detached into a separate attachment, are you talking about the copy of the e-mail that is stored on your computer or the message that is stored on the mail server? -Paul -- PGP ID: 3DB6D884 PGP Fingerprint: EBA7 88B3 6D98 2D4A E045 A9F7 C7C6 6ADF 3DB6 D88 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GPG 4 Win
Thu, 18 Nov 2010 11:44:56 +, Lee Elcocks wrote: I have finaly managed to import PKSC12 files into GPGSM. Is their a way of importing OpenPGP keys into GPGSM? No. GPGSM is for CMS and S/MIME; GnuPG is for OpenPGP and PGP/MIME. The client insists that we use RSA keys using openSSL and bundle into P.12 Files, their public key are come as .txt files, they will ont import into GPGSM, but will import into GPG no problem, so i assume they are open PGP keys, that is indeed what Kleopatra displays. If the key that you were importing into GnuPG were not an OpenPGP key it would give the following error. gpg: no valid OpenPGP data found. Given the fact that you were successful in importing the key into GnuPG, it must be an OpenPGP certificate. A way of examining a file to see if it is an OpenPGP certificate is to use gpg --list-packets certificate_file. If the certificate is valid, gpg will output a bunch of information about the various data packets in the file. -Paul -- PGP ID: 3DB6D884 PGP Fingerprint: EBA7 88B3 6D98 2D4A E045 A9F7 C7C6 6ADF 3DB6 D884 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Do I need to put my keys on a server???
On 11/10/2010 07:23 AM, Visual GPG WoT Project wrote: I've created two key pairs for two different email accounts (lets say email1@ and email2@) and signed each one with each other and set the owner trust to ultimate... When I send an encripted email from email1@ to email2@ my Enigmail client says: Decrypted message; Unverified signature What I am doing wrong? Do I need to put my keys on a server??? Putting your keys on a keyserver won't fix this situation. On the machine that you decrypted the message, did you have the public key for ema...@? -Paul -- Please use my PGP key when sending me e-mail, if you can. PGP Key ID: 0x3DB6D884 PGP Fingerprint: EBA7 88B3 6D98 2D4A E045 A9F7 C7C6 6ADF 3DB6 D884 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Changing secret key encryption algorithms
On Thu, 21 Oct 2010 09:40:11 -0700, Dan Cowsill wrote: It seems the algorithms are mapped to algo ID's. I can confirm that the algorithm is different than than the one used on my real secret key, but I had not been able to find any resources that map the algo ID's to their respective names with any completeness. I was able to find an excellent (if dated) resource on secret keys in the process[1]. Page 62 of RFC4880 http://www.rfc-editor.org/rfc/rfc4880.txt specifies the IDs of symmetric algorithms, and RFC5581 http://www.rfc-editor.org/rfc/rfc5581.txt specifies the IDs for the Camellia cipher. -Paul -- Please use my PGP key when sending me e-mail, if you can. PGP Key ID: 0x3DB6D884 PGP Fingerprint: EBA7 88B3 6D98 2D4A E045 A9F7 C7C6 6ADF 3DB6 D884 signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Paranoid People's User Group?
On Thu, 14 Oct 2010 08:45:59 +0200, Remco Rijnders wrote: I've looked at this before and haven't been able to tell... is there any way to subscribe to this group without needing to create a yahoo ID and email address? No. Yahoo! requires you to log in with a Yahoo! ID, or if you don't have one, you must create a Yahoo! ID. -Paul -- Please use my PGP key when sending me messages. PGP ID: 3DB6D884 PGP Fingerprint: EBA7 88B3 6D98 2D4A E045 A9F7 C7C6 6ADF 3DB6 D884 signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Paranoid People's User Group?
On Wed, 13 Oct 2010 17:57:08 -0700, Dan Cowsill wrote: After some googling, I decided this would be the best place to start. What I'm after is a mailing list or user group that exchanges encrypted communications with each other. Or, if no such mailing list exists, I wonder if I might be able to pick up a pen-pal or two that wants to use PGP to communicate. There is such a mailing list, which is called PGPNET. It is part of Yahoo! Groups and is located at http://tech.groups.yahoo.com/group/PGPNET/. All mail, with few exceptions, is encrypted to all members of the group. -Paul -- Please use my PGP key when sending me e-mail, if you can. PGP Key ID: 0x3DB6D884 PGP Fingerprint: EBA7 88B3 6D98 2D4A E045 A9F7 C7C6 6ADF 3DB6 D884 signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: generating X.509 certificates using gnupg
On Tue, 7 Sep 2010 13:56:08 +0530 (IST), Alex Smily wrote: please dont mind if this forum in not the correct one to ask...i have installed gnupg on windows... gpg ,gpg2 ,gpgsm are working fine. is it possible to generate x.509 certificates using gnupg? if s please help me. This is the right mailing list. You can generate a certificate signing request with gpgsm, e.g. gpgsm --output certificate.csr --gen-key. If you are looking to do more than that, you may wish to use OpenSSL instead. And if this doesn't fully answer your question, or you have more questions, post back--this mailing list is friendly to newcomers. -Paul -- Please use my PGP key when sending me e-mail, if you can. PGP Key ID: 0x3DB6D884 PGP Fingerprint: EBA7 88B3 6D98 2D4A E045 A9F7 C7C6 6ADF 3DB6 D884 signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Encryption with no recipient
On Tue, 31 Aug 2010 07:49:48 -0400, Ted Rolle Jr. wrote: I tried -ace and it aways asked for a userid. -c and -ac worked just fine. Apparently when -e is specified that triggers the request for a recipient. Hi Ted. -c or --symmetric encrypts with a symmetric key that is derived from a passphrase. No public key is used. Because of that, using gpg -c some_file will ask for a passphrase, and that passphrase must be used when you want to decrypt the file. But when you specify -e or --encrypt, GnuPG will use a public key to encrypt the file, and a recipient's public key must be specified. This means that when you specify both -c and -e, you will get a file that is encrypted by a symmetric key and a public key. That is why GnuPG is asking for a recipient. -Paul -- PGP Key ID: 0x3DB6D884 PGP Fingerprint: EBA7 88B3 6D98 2D4A E045 A9F7 C7C6 6ADF 3DB6 D884 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Strange behaviour of gpg when importing key from keyserver
On Wed, 25 Aug 2010 17:55:17 -0400, Faramir wrote: Now, the problem: I search keys by an email address, and gpg shows me the different matches found, and ask me to enter the number of the match I want to import, or O for other, or F to finish. But if I enter O or F, it just repeats the question, it doesn't finish the process. I tried different characters based on English words I thought may have been used in English version of GPG, and found 'Q' (for Quit) is the right answer to finish the process and exit, but I don't know the equivalent for 'other', nor what is it supposed to do. [snip] P.S: this is the question: Keys 1-3 of 3 for theAddressIused. Introduzca número(s), O)tro, o F)in The equivalent for O is N, because the English word here would be Next. For example: Keys 1-6 of 12 for Faramir. Enter number(s), N)ext, or Q)uit -Paul -- PGP Key ID: 0x3DB6D884 PGP Fingerprint: EBA7 88B3 6D98 2D4A E045 A9F7 C7C6 6ADF 3DB6 D884 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gnuPGP Setup
On Sat, 21 Aug 2010 04:21:07 -0700 (PDT), BernePGP wrote: Im really new to this and I have about 80% understood, I am at the stage where I have sent my key in a word file to my recipient that is sorted. I then tell the reciepient to download and load the gnupgp programe and to read the setup for novice readme file. After the recipient has loaded the programe he generates a personal key but does he do as I have done and copy out his public key in a wordfile and send it to me? He can do one of two things. He can export his public key into a file and, by some means, deliver the file to you, or he send his public key to a keyserver so the you can fetch it from the keyserver. In other words when the recipient got my email with my public key encrypted in a wordfile , what does he then do? Does he copy and paste my public key somewhere in his gnupgp programe? He imports it into his program. If he is using the program that you are using, then he clicks the Import button and selects the file. Also, note that public keys are not encrypted when exported. That is only done for private keys, because there is no danger in revealing a public key but the inverse for a private key. In what form should I expect to recieve the senders public key? Will it arrive already encrypted in a word file and if so what do I do with that enc public key in regard to my gnuPGP programe? Concerning the first question here, it depends on the way he chooses to deliver his key to you (please see my top paragraph). And concerning the second, you import it into your program. In the program that you are using, click the Import button and select the public key file. Again a newbie , a few words to clear the matter please. I did read the novice helpfile but you can see the whole process is not fully understood. No problem. No one was ever born an expert. ;-) To be upfront, Im no further on, I just cant follow the great advice shown here. The only thing I can do is to provide a screenshot and then follow exactly an A), B), C) format no further advice until a return screenshot has proven that Ive understood and executed that step? So here is the first screenshot of my GnuPGP UI ( if I should use an easier UI please advise where I can get it but this one seems ok )? Oh, re the word file it was a misprint, wordpad was used, But now I cant seem to reproduce my own public key in wordpad? All right. Let's start by exporting your public key. And since your GUI is GNU Privacy Assistant, I will refer to it as GPA. A) Select your key in GPA. B) Click the Export button. C) Enter the filename that you want. You're done. Now give that file to your recipient by whatever means you will. Now wait for him to give you his public key. If he gives you a file with his public key in it, follow the steps below. A) In GPA, click the Import button. B) Select the file that your recipient gave you. Done. Now have your recipient perform each of these series of steps as you have, and both of you will be able communicate securely. Also, please follow the advice given to you by Simon Richter and Faramir about ensuring that you and your recipient have the correct keys. -Paul PGP Key ID: 0x3DB6D884 PGP Fingerprint: EBA7 88B3 6D98 2D4A E045 A9F7 C7C6 6ADF 3DB6 D884 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Accessing the 2nd card reader
On Thu, Aug 12, 2010 at 12:31, Richard rich...@r-selected.de wrote: Well I stumbled upon another problem. I actually wanted to use one of my card readers with GnuPG/scdaemon exclusively, and the other one with OpenSC's PAM-PKCS#11 module. [...] I just wanted ask whether scdaemon always blocks _all_ PC/SC readers, even when told to use one specific reader only? All right, this appears to be a PAM-PKCS#11 bug. I am going to drop a note on this list if I find a solution. Richard ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Accessing the 2nd card reader
On Fri, Aug 13, 2010 at 16:38, Richard rich...@r-selected.de wrote: All right, this appears to be a PAM-PKCS#11 bug. That's not correct: It is a bug in OpenSC's PKCS#11 module. Someone wrote a patch for OpenSC (SVN, trunk), which fixes the problem for me: http://www.opensc-project.org/pipermail/opensc-user/2010-August/004224.html Best reagrds, Richard ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Accessing the 2nd card reader
Well I stumbled upon another problem. I actually wanted to use one of my card readers with GnuPG/scdaemon exclusively, and the other one with OpenSC's PAM-PKCS#11 module. As already mentioned, both of my readers are accessible via PC/SC. Having set reader-port REINER SCT CyberJack pp_a (8928928328) 00 00 in my ~/.gnupg/scdaemon.conf, I thought the other reader could now be used smoothly with PAM-PKCS#11. However, pcscd tells me SCardConnect() Error Reader Exclusive. I'll have to figure out which the two readers it is trying to access here (although I have set the reader slot to use to the 1st reader, which should not be opened exclusively by scdaemon). I just wanted ask whether scdaemon always blocks _all_ PC/SC readers, even when told to use one specific reader only? If it doesn't, then this is probably a PAM-PKCS#11-related problem and I will have to contact the OpenSC people for support. Thanks, Richard ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Accessing the 2nd card reader
Hello everyone, I have connected two card readers to my computer, but want only to use the 2nd one with GnuPG 2/scdaemon. Both are PCSC readers: $ opensc-tool -l Readers known about: Nr.Driver Name 0 pcsc SCM SPR 532 [Vendor Interface] (21250837209929) 00 00 1 pcsc REINER SCT CyberJack pp_a (8928928328) 00 00 However, GnuPG only recognizes the 1st reader: $ echo scd getinfo reader_list | gpg-connect-agent --decode | awk '/^D/ {print $2}' 04E6:E003:21250837209929:0 How can I force GnuPG to use the 2nd reader only? I don't know what which reader-port option to set in ~/.gnupg/scdaemon.conf. Thanks, Richard ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Accessing the 2nd card reader
Hello Werner, On Wed, Aug 11, 2010 at 12:34, Werner Koch w...@gnupg.org wrote: To convince pcscd to use the second reader you need to use the reader-port REINER SCT CyberJack pp_a or a bit more of the string shown by opensc-tool. thanks for your advice. I had to use the whole identifier as issued by opensc-tool to get the reader to work: reader-port REINER SCT CyberJack pp_a (8928928328) 00 00 Now I can finally access my OpenPGP smart card in my second reader using GPG :) Thanks again for your help, Richard ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Gnupg good for big groups?
On Mon, 09 Aug 2010 13:55:41 -0400, Robert J. Hansen wrote: You would have to ask Paul. I suspect, though, that with only a low-thirtysomething number of nodes and a total number of messages in the neighborhood of six hundred, that there's not much confidence to be had in any trend. Exactly. I figured from the start that with few people and messages that I wasn't going to find anything more than gross trends. -Paul ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Gnupg good for big groups?
Hi MFPA, Sun, 8 Aug 2010 15:49:40 +0100, MFPA wrote: 681 Messages sent by members of the list 628 Encrypted messages I'm surprised the difference is so large - it doesn't feel like that large a proportion is unencrypted. But that number not encrypted looks correct if it includes about ten notification messages from Yahoo about new file uploads, etc. Actually, the number of encrypted messages that I originally posted was incorrect. The real number is 641. I replied to my original post and posted the correct numbers. You can find them at this link http://lists.gnupg.org/pipermail/gnupg-users/2010-August/039335.html. No Yahoo notifications were counted in any of the numbers that I posted, since none of those messages were from someone on or joining the list. But all other messages were counted, including my initial post of my public key. 36 NETMK messages I have difficulty counting those because my email program is poor at searching inside encrypted messages. It finds six plaintext, and this only rises to 13 if I tell it to also look inside encrypted messages; I know this is a very long way short. 36 is correct. I took note of every NETMK (Not Encrypted To My Key) message, who was complaining, and who hadn't encrypted. Also note that 36 NETMK messages does not mean 36 messages that weren't encrypted to someone's key. Sometimes a person had multiples messages that he couldn't decrypt, and sometimes multiple people responded to the same initial message with NETMK messages. 13 Members were responsible for not encrypting to someone's key 12 Members sent NETMK messages And for what it's worth: 22 Messages weren't encrypted to my key How many of these 22 were within the first week or so? I find very few messages not encrypted to mine. I agree with Hansen that this is seems almost like cherry picking, but I will give it to you anyway. Six in the first week and four in the last week. But before you say, Ah ha, know that four of the first week's messages were from a person that had successfully sent encrypted messages to me prior in that same week. Also two of the last week's were not due to someone removing my key from his list of keys. In both cases someone else couldn't read the poster's message and the poster replied with a message the NETMK complainer and I could read. It's not that you need this much detail, but without it you might come to incorrect conclusions about the causes of the messages that I couldn't decrypt. and 1 in 12 of all messages was either not encrypted to my key or a NETMK complaint. Wow! Hope this is enlightening. :-) It is. I'm quite surprised at the proportion of unencrypted messages, and at the proportion of members not encrypting to somebody's key. I would hope that latter figure dropped significantly if non-encryption to keys posted within the last week were disregarded. As for the proportion of unencrypted message, see the top of this message. No one sent NETMK messages in the last week. But if I deduct the 4 messages that I could not decrypt that were sent in the last week, then the ratio of NETMK messages plus messages not encrypted me to all messages is approximately 1 in 13. -Paul ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Gnupg good for big groups?
On Sat, 07 Aug 2010 20:30:22 -0400, Faramir wrote: The interesting thing, is a lot of times the NETMK messages are caused by less active members who (somehow) broken their configurations. Actually, the most amusing and bizarre mistake is that people sometimes encrypt to only *their* key. That happened 30% of the time. -Paul ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Gnupg good for big groups?
On Sat, 07 Aug 2010 12:59:45 -0700, Paul Richard Ramer wrote: 681 Messages sent by members of the list 628 Encrypted messages 36 NETMK messages 37-41 Keys 37-40 Members 32 Members sent encrypted messages 13 Members were responsible for not encrypting to someone's key 12 Members sent NETMK messages And for what it's worth: 22 Messages weren't encrypted to my key So for me that makes approximately 1 in 29 encrypted messages was not encrypted to my key, 1 in 19 of all messages was a NETMK message, and 1 in 12 of all messages was either not encrypted to my key or a NETMK complaint. My apology. Two of the numbers that I posted were wrong. The total of encrypted messages should be 641, and the number of members who didn't encrypt to someone's key was 18. Also, note that the ratios that I gave are still correct despite the corrections. I have reposted the original message with the corrected numbers below. -Paul -Corrected message below- Well, I have some numbers to show the frequency of NETMK (Not Encrypted To My Key) messages. I was on the PGPNET mailing list for just over three months, and these are my findings (note that all of these numbers are from the day that I joined to the day that roll call ended and my key was removed). 681 Messages sent by members of the list 641 Encrypted messages 36 NETMK messages 37-41 Keys 37-40 Members 32 Members sent encrypted messages 18 Members were responsible for not encrypting to someone's key 12 Members sent NETMK messages And for what it's worth: 22 Messages weren't encrypted to my key So for me that makes approximately 1 in 29 encrypted messages was not encrypted to my key, 1 in 19 of all messages was a NETMK message, and 1 in 12 of all messages was either not encrypted to my key or a NETMK complaint. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Gnupg good for big groups?
On Sat, 07 Aug 2010 20:30:22 -0400, Faramir wrote: El 07-08-2010 15:59, Paul Richard Ramer escribió: ... So for me that makes approximately 1 in 29 encrypted messages was not encrypted to my key, 1 in 19 of all messages was a NETMK message, and 1 in 12 of all messages was either not encrypted to my key or a NETMK complaint. Hope this is enlightening. :-) The interesting thing, is a lot of times the NETMK messages are caused by less active members who (somehow) broken their configurations. True. In fact over a third of all NETMK messages (14 to be exact) were to members who posted fewer than ten messages in that three month period. -Paul ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Gnupg good for big groups?
On Wed, 04 Aug 2010 13:57:57 -0400, Robert J. Hansen wrote: It is also worth noting that PGPNET has some very big problems with key management. PGPNET users are apparently comfortable wrestling with these problems (more power to them for that), but we shouldn't pretend the problems don't exist. In a completely connected graph of N nodes there are (N^2 - N)/2 different edges. Or, in English, 40 members equals 780 separate communications links, each one of which can fail and produce problems for other people. The network begins to get spammed with that last message wasn't encrypted to my new key, please re-send. The network slowly begins to drown with communications overhead: key synchronization, resend requests, failure notifications, etc. PGPNET is probably operating pretty close to the limits of OpenPGP. At some point the math bites you hard and doesn't let go. Well, I have some numbers to show the frequency of NETMK (Not Encrypted To My Key) messages. I was on the PGPNET mailing list for just over three months, and these are my findings (note that all of these numbers are from the day that I joined to the day that roll call ended and my key was removed). 681 Messages sent by members of the list 628 Encrypted messages 36 NETMK messages 37-41 Keys 37-40 Members 32 Members sent encrypted messages 13 Members were responsible for not encrypting to someone's key 12 Members sent NETMK messages And for what it's worth: 22 Messages weren't encrypted to my key So for me that makes approximately 1 in 29 encrypted messages was not encrypted to my key, 1 in 19 of all messages was a NETMK message, and 1 in 12 of all messages was either not encrypted to my key or a NETMK complaint. Hope this is enlightening. :-) -Paul ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
poldi unattended authentication
Hello everyone! I would like to authenticate using poldi without the need to enter my PIN. In an old blog posting, they use auth sufficient pam_poldi.so try-pin=123456 quiet in PAM config files the achieve this behavior (http://www.schiessle.org/howto/poldi.php). However, this specific feature seems not to be available with the latest poldi release (0.4.1) anymore. Is there another way to authenticate using an OpenPGP smart card, but without the need of having to enter a PIN? Since the OpenPGP smart card itself cannot be used without setting an (at least) 6 characters long PIN, I don't know what to do with the try-pin option removed. Richard. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
AUTO: Richard Hamilton is out of the office (returning 06/24/2010)
I am out of the office until 06/24/2010. I am out of the office until Thursday June 24th. If this is a production problem, please call the solution center at 918-573-2336 or email Bob Olson at robert.ol...@williams.com. I will have limited mail and cell phone access. Note: This is an automated response to your message Re: Can we use GNUPG with PGP for commercial use sent on 6/17/10 10:21:32. This is the only notification you will receive while this person is away.___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Test mail to richih.mailingl...@gmail.com
On Fri, Jun 11, 2010 at 09:39, Werner Koch w...@gnupg.org wrote: Sorry for the inconvenience, No problem. It's not me :) Richard ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: PGP Installation Problems on Sun OS
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Mon, 26 Apr 2010 18:57:15 +0530, Varaprasad Kota wrote: I have downloaded gnupg-2.0.15.tar.bz2 and done the below steps to install them on SunOS. Step1: unzipped it Step2: Moved into the parent directory(gnupg/gnupg-2.0.15.tar.bz2) and types ./configure. Step3: I have also tried checking whether gpg is already installed or not. For all the above commands I get KSH: NOT FOUND reply. So by that last line, do you mean that each time that you typed a command you got a KSH: NOT FOUND error? For example: Step1: unzipped it KSH: NOT FOUND Step2: Moved into the parent directory(gnupg/gnupg-2.0.15.tar.bz2) and types ./configure. KSH: NOT FOUND Step3: I have also tried checking whether gpg is already installed or not. KSH: NOT FOUND Or do you mean that ./configure gives you a KSH: NOT FOUND error? Also, did ./configure succeed and did it fail and give an error? If ./configure failed, please reply with the contents of the error. It will make a big difference in determining what went wrong. - -Paul - -- Karl Marx, a famous deadbeat dad. --self +-+ | PGP Key ID: 0x3DB6D884 | | PGP Fingerprint: EBA7 88B3 6D98 2D4A E045 A9F7 C7C6 6ADF 3DB6 D884 | +-+ -BEGIN PGP SIGNATURE- iQGcBAEBCAAGBQJL11MeAAoJEJhBiuhgbQLIfRkL/1VAZZQOADGsCv1YW9rsbJ96 OPJvv82w97lednVu3du535kNaUKjwwOazuxgfPEqTZHK8vub3VC/xcmAPLc5AV2t HLM4ErkLP4MWOgsZMnhRmS2T+4en0jwQqi5BehzXSaqmKCRYGlEfWJpC2n0aEIKQ cRKnrh2huf52pDv178YeotbDnvCn47Y4L7ttt+3RJHBUr88nx78a0mgfBEDiL5R6 rjdRNARbNQr7tcw06A837KL57vcVbXjwZYo9kWveWT1t5YTH/hCTfeZ9i8IVsafS iJkN2HTmXZOnaXgJ+/y+t2lo0vbiZIZHrN5VTM3ZpBPxkqMbXaJeY3hL3xFkf7AL Y/mrZLbKyBwaxCrOaTONAxLxEox7Ym/+WIEAWyAm+GE77gESK0OIV51HV8bqHAJn YOoCS0FnwWoTw7OrMKmqRJNSn48anmjSV+WIaXsQqecMgbBsXeAobgza6KQIerju pkm6PJubnrvylkynua//3cM0UJ9+e7XxPZScxCKafw== =yDfM -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Receiving invalid packet errors when decryption Ascii Armored data
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Tue, 6 Apr 2010 14:25:09 -0500, Seidl, Scott wrote: I am sending data to a vendor for processing and they are at times having issues decrypting our files. We are ASCII armoring the file before we send it, and they are receiving a error of: gpg: [don't know]: invalid packet (ctb=2d) gpg: [don't know]: invalid packet (ctb=2d) I've look at the file we sent to them and see no issues or extra data around the ASCII Armor header/trailer records. Can someone provide more details on what would be causing this error? I've seen this with Binary (non- ASCII armored) files. I am using GNUPG v 1.4.9 to encrypt the files on a Linux box. I can tell that the vendor is also using GNUPG from the error email I get, but I don't know the version. Have you and the vendor compared checksums on the ASCII-armored files to confirm that the files that you sent and the files that they received are identical? - -Paul - -- You wouldn't send all of your mail written on the back of postcards would you? Then why would you send your e-mail the same way? http://www.philzimmermann.com/EN/essays/WhyIWrotePGP.html +-+ | PGP Key ID: 0x3DB6D884 | | PGP Fingerprint: EBA7 88B3 6D98 2D4A E045 A9F7 C7C6 6ADF 3DB6 D884 | +-+ -BEGIN PGP SIGNATURE- iQGcBAEBCAAGBQJLu8dRAAoJEJhBiuhgbQLIW+EL/06DQg1qhFvED1CbfZJkebXO 5i2SPVrTkkr+iR9DsLxHWTItoq79FrxEdGgTf8PVR1rTy/Ejb5xHYrVgbzKAA1eK 2hMApNH8t4ujUH8fkG37H+eHhcLTMfdPoywzl/ybUlxBZ0P0UvTRQke8zTrxvMal +SsSgy0opwt+yqQUwf23sXU11V1HyQuQ/wVFTOpbUSCHHaKV0m2lY/Rf4mvsq8w6 7fbPnu+jDIvhewIzZAbfT/rGP/Bg1PcGiFjTjtL4ao54xCaQrj2TL2mvc3jC+hmO A0VeDvGwZQjxQAgn5yHXBTsaPLHgCKsZhEKD8IyXKcHfdJRi/o6WUdZwuOEygzWl BmhmciOm1pgZ+YglZD1QwnRfubyjADtEM4rxGyBbU2qLOG2Ro9vrCZEVwernZJg4 I9p5RCcYhVvlsW83f91LGwaqwM817Ak5ssJO8jRiAeX5z0MgbxpSXuH4QSg+VSJM 0YjP42gPxgu7RD935GCaRyWQ2ww3gQMODOWMmdLf8w== =G8RZ -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: What to do when subkey expires?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Mon, 5 Apr 2010 20:20:06 -0400, Brian Mearns wrote: Sorry for such a simple question, but I can't find a simple answer. My signing and encryption subkeys have expired, so do I just create new subkeys, and upload to the SKS servers? Do I have to delete the subkeys, or revoke them? Create new ones. You don't need to delete or revoke them, because no one is going to use them now that they have expired. - -Paul - -- New Windows 7: Double the DRM, Double the fun! Learn more: http://windows7sins.org +-+ | PGP Key ID: 0x3DB6D884 | | PGP Fingerprint: EBA7 88B3 6D98 2D4A E045 A9F7 C7C6 6ADF 3DB6 D884 | +-+ -BEGIN PGP SIGNATURE- iQGcBAEBCAAGBQJLupBIAAoJEJhBiuhgbQLIGgQMAIinK9gsub6vrZzdJnIliau0 kouwvV4PQjEMlxGT8nIPfuWXjI0yub2vMx+QbwbxO92YKsTBQvTknp1MlXzXw1kv nuR7KcrwaOtLvFGYHGfG1r/MaIyD0Z0QS1foHwzd6HPKCrWiF0CUgG6ZuNrweEGB auIRjUud6RmD3Xzk3F1HhvSRr9vP7N2VyjP6ZSVPCeOOCGkCXQgR2uGiDuhFmMmI DLnmQmtXApDAbQq3+K04MYyX6iItMBp0T0WKDo99C3mk3UUQ1WqhlYy+T7Oj+v/q ioNDrRCEmgBi54Ell7qqWkIJv6IIs00841lVAc+Ij9KyU2SbOWV+C/+qDtgL481W ePwiU2aA/yyRgfNfaFlEbUBSOWWkXdy3PQEnRXcmDVpAEP6z5Dt5U1NhL6NnqvaQ ytwvIEaCSIZTfHEJpEBrrhHwUKD6k1o9vTp2rn/Cpx45JFwjwA0/IedRkTKanUFf /bruZ+CODyButJX70Head8/FmVC4GAOUWvCcqkitmw== =6yJm -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: URGENT: GNuPG 1.2.1 - secret keys help
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, On Fri, 26 Mar 2010 02:12:00 -0400, Kannan, Aarthi [Tech] wrote: Here is the command I use: gpg --home /home/gpgfiles --keyring /home/gpgfiles/pubring.gpg --list-secret-keys From: Kannan, Aarthi [Tech] Sent: Friday, March 26, 2010 11:36 AM To: 'gnupg-users@gnupg.org' Subject: URGENT: GNuPG 1.2.1 - secret keys help Hi, I am using gpg1.2.1. I created a key using gen-key. When I do a -list-keys, it lists my public key fine. When I do a -list-secret-key, I get the following error: gpg: keyring_get_keyblock: read error: invalid packet gpg: keydb_get_keyblock failed: invalid keyring I have read write access to pubring.gpg, secring.gpg, trustdb.gpg random_seed. Am I missing something here? Can you please help, it's urgent - am stuck on this for a while now! I think that it means that your secret keyring is corrupted. - -Paul - -- New Windows 7: Double the DRM, Double the fun! Learn more: http://windows7sins.org +-+ | PGP Key ID: 0x3DB6D884 | | PGP Fingerprint: EBA7 88B3 6D98 2D4A E045 A9F7 C7C6 6ADF 3DB6 D884 | +-+ -BEGIN PGP SIGNATURE- iQGcBAEBCAAGBQJLr/zvAAoJEJhBiuhgbQLInBwL+QGgH1dZ3Y5cu9lrLzqVCG3S Paa7ODFdHgCJYjwAtM4WBB/WDphWFwzLgUiPJb6mHTZY0RpqJFeguSBoXFfS2m0S jxXCfgTREYlKUG05H60xQFJyj11DAoHKWvyMf0UjTUig03tAStjSAoQ2PYaZ3+Cn wlnhyGC1KRo4Luh4dz2PcMsIT1TxLJRQBggbKr+CnYQFdz98GoTzBYntVlcBrjQJ JCz2I2O7HLbMylLK0U1t6IdFpm2SmgQKbcoLON7FE91bZEhAAsZKpVNtzlSAVHZC q5irY7/aTwNr3ctW56HSlK1P4nmm6RbNbGodAE4uWhaWa0hbRiS0kGovryKi1OxI kC2DeL6CK2j+Jg22K7P2V8kPlP8YRZQxpb4AtSRPdItsvmPugslpSu8Cf8tYKnV7 +duXd+1ZQM5z230MMDsSHfAGBZqY/e5ztwYzo39f832LLpmzYTmGbcAv83C17Qgm r1EFM9xGecDDVPZJs6YKeUjtnG48AdRD2s7FbxlhQw== =Z3rp -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Corrupted File
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Wed, 24 Mar 2010 15:56:48 -0700 (PDT), James Board wrote: Have you tried decrypting the file with either PGP or GnuPG? Also, where in the file is the corruption? The file is corrupted (a 4096-byte page full of zereos), at seemingly random places, but not near the front of the file. The file was encrypted with PGP 5.0. I tried to decrypt with PGP 5.0 and that didn't work. [...] I haven't used PGP 5.0, but does it give an error message when you try to decrypt the file. If it does, please let us know what the error message is. It could be helpful. [...] Should I try with gpg? Does gpg behave gracefully if the input file is corrupted? [...] It wouldn't hurt to try. As for the second question, I don't know. I don't have the knowledge or experience with these situations to answer that. [...] I don't normally use gpg: can I decrypt a file with gpg that was originally encrypted with pgp 5.0? To the best of my knowledge, GnuPG can work with old versions of PGP going back to PGP 2.x. So I think that it may. If you do use GnuPG to decrypt your file, let us know whether it works or not. And if it doesn't work, post the error message so that we can further diagnose. - -Paul - -- You wouldn't send all of your mail written on the back of postcards would you? Then why would you send your e-mail the same way? http://www.philzimmermann.com/EN/essays/WhyIWrotePGP.html +-+ | PGP Key ID: 0x3DB6D884 | | PGP Fingerprint: EBA7 88B3 6D98 2D4A E045 A9F7 C7C6 6ADF 3DB6 D884 | +-+ -BEGIN PGP SIGNATURE- iQGcBAEBCAAGBQJLqrLVAAoJEJhBiuhgbQLInbEL/iU8azdfLK6tH2/CiNDjBtq9 PCzDDf7vFCZqChkNeNJJLJ1qPmhpjDPnakZLCHmhTiPhlA/AKlHOP2H6HhgReNmR Lr7rLP0OYRcUj5VgWmFod7624qdwrqK05zS70may15fCRpi7z/VssGNNbf9FMVyT GsPZm2KFUC++ZHCjFYo6qKVKltNuMHiH7SuNzACuOOSkASkdoBR+uQoUcUvL3ngF XZuzgtfi4m13r+q8IfKBqh/sMI61qQs7f6Ky+Ji4PHom4mSDoVBT9cw5lbt1fUeZ Z3w+W9HdxmFsoh+qH/qRvyut9szyPvVdZvB2+K4/Mcd8+vbq3Hk/CPwfI3UOjtKj voxpAdgz6qageCSRGvGAg0vFbt/0CoJdAFanxKa7LJP8hounFY/uy87x9R5ktw7c +uVRDdGatPC4Jv5fxKI5xkf1vuWv4BFtuLaExt6kelHnwwH4k+gmLsWTJfgNvHkx 6DhRIjXA/HegJOvDIyq6ZJas0XQHL/0MvNccT+xSPg== =rjHb -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Generating a new key
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Sun, 21 Mar 2010 00:40:08 -0300 Faramir wrote: Another thing to consider, is SHA is not as safe as it used to be, and it it becomes easily crackeable, signatures issued using SHA can become unsafe. So maybe you'd like to use SHA-256 instead of SHA-128. If I'm I believe that you meant SHA-1 and not SHA-128, because there isn't a hash called SHA-128. Also SHA-1 is a 160 bit hash. The first line tells gnupg to use SHA-256 instead of SHA-1 to mangle the passphrases. I don't really know what is that mangling thing, but if the idea is to replace SHA-1 with SHA-256, it can be useful. (I have a bad feeling about telling other people to use that line). In addition to what David said, the passphrase mangling uses iterations of the hash algorithm to slow down a brute force attack on the passphrase. So for a fictional example, GnuPG will hash the word dog and produce 0123456789. Then it will iterate by taking the output of the hash algorithm and use it as input to another instance of hashing. So in this example it would take the output of 0123456789 and hash it to produce 9876543210. The default iteration count is 65536 and can be set by --s2k-count option. However, if you want to change the default, I would suggest that you read this first http://lists.gnupg.org/pipermail/gnupg-users/2009-November/037760.html. - -Paul - -- Plagiarism is the greatest form of flattery. --self +-+ | PGP Key ID: 0x3DB6D884 | | PGP Fingerprint: EBA7 88B3 6D98 2D4A E045 A9F7 C7C6 6ADF 3DB6 D884 | +-+ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQGcBAEBCAAGBQJLppatAAoJEJhBiuhgbQLIGSIMAJZXHvZxkq4SbscU/gykyaYC o/Eb5G/+VC+DRZuskUHCJ5nZykfKu3Wy93G4pj6zTEaLyJQChH22NGzp3PF185RN XF/x04StFdjJ9AB/2QgB4gOk2JVCGkUAd75C0wP2wywyfKE57+tdNA7W5Og3duIm 7pq0ixINjlO/06cVuzy8VzE45TcUKYtweT4eboA/WkRZrd2IgwBETvgYIpyjM96n TrJ7vQKBQBGtGmbNTGa1jNMuGYUGUqj8P+CCt3OvGjNUIl2wfwoXm13evQdd6gTY 8maXd3Zcshr7ethhpAo575J9hn568tBXj2bc0avEd1PZ3hWn1GyNQki/XZP7QV8Q 4g2n6ISJ1mEhSQuVeyBZ3gLp7ispARRxgOI+j02pTyLn69xPe33Afr44P/hNxXRB HrV56GdT3TvoS0IJgy5IH2drsMO+q4oN65EKhYxllpJ+gNtuFdGpV2xqfYh0VVfj hLWGtmY5bUkO53XFiB7ECXjqeq2RLkyctIRbHfqAgg== =b8BH -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: key question
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Sat, 13 Mar 2010 20:05:21 + MFPA wrote: I can't speak for other people, but I can for me. Take a look at the UIDs on my key, which is 0xC7C66ADF3DB6D884. And also, take a look at my master key 0x2188A92DF05045C2 that I signed the other key with. Each of those e-mail addresses on my keys are ones that were already associated with my real name. I had given each of those addresses to family, friends, associates, businesses, or a combination of them. Not one of those accounts had given me any anonymity, and each had been shared outside of people I knew personally. By uploading a key with those addresses on it, does that mean I gave up privacy that I already had? No. It looks to me as if the answer is yes. Unless each person who had one of your email addresses already knew the other addresses before seeing them on your key, they now have extra information about you. And the addresses have jumped from shared outside of people [you] knew personally to published in a universally-accessible location. However minor/negligible or unimportant you may consider it, that's a reduction in privacy. You are, of course, assuming all of my contacts know what PGP is, how to use a keyserver, and have fetched and examined my key. Although I have potentially disclosed my e-mail addresses to the whole world, my actual disclosure has been less than had I posted those e-mail addresses to a web page or handed a copy of my key UIDs to whomever. But you know what? I don't care. I created those UIDs with the belief that if I shared them with one person, I shared them with the world. I intentionally made that information public, which is different from accidental disclosure. Also the use of a keyserver in my case was good, because I don't have any means of distributing my key electronically other than by e-mailing my key to every person that may request it. So a keyserver fits the way I want to work. - -Paul - -- Privacy is good. Use PGP. +-+ | PGP Key ID: 0x3DB6D884 | | PGP Fingerprint: EBA7 88B3 6D98 2D4A E045 A9F7 C7C6 6ADF 3DB6 D884 | +-+ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQGcBAEBCAAGBQJLox97AAoJEJhBiuhgbQLIgEAL/1hXd6DAMcX+goDdipUMt1Yd 5dqnSKbGsC0Rp9Ewa2aZTPzfb4AyAdhjugp+2oX17+47Ijz8CgRP5iCSzEwhW6gl JqKWrKL13f88vN97iauBI/TYiUoEBpMFvreYlu0X8g7qGK9WN1ul4SfFUNaBbXJt /OXfACs7PbSUSN8XvqprOHV+p9uAFNpLIjIYpKZpt4GzhjIF7ifg7fBSw8VdXXBI qahG0c6OqFBU10kJgZlHOM+ZSoqlS9B3M3DR54DLmgwNOhzFkOu5lgOpURY9FrZP 4XYt5hasn/FapiUh5qk8A0QRSLrXUyM7jgntK6KwIFHmurss+eyZRfxBnzveVVbR M2WM9k+AyQnpWwjpxeAR2qQAAjljBDj5TuAEYwlXw6dBb/eQAUcr3SmEdSUDx9BV Q2x37xMN5191xEYqVjNT5FtQko2wGCFSA4qWRbvi+DXV0KVGbTW1N2FBXLtQS1Gc QtndM+4MIf9UkLMnUYJriDnQmgOPiQmJAJzi8gnhuQ== =hLHd -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
AUTO: Richard Hamilton is out of the office (returning 03/22/2010)
I am out of the office until 03/22/2010. I am out of the office until Monday March 21st. If this is a production problem, please call the solution center at 918-573-2336 or email Bob Olson at robert.ol...@williams.com. I will have limited mail and cell phone access. Note: This is an automated response to your message Re: Secure unattended decryption sent on 3/19/10 14:26:09. This is the only notification you will receive while this person is away.___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Corrupted File
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hello James, On Mon, 15 Mar 2010 18:02:41 -0700 (PDT) James Board wrote: I have a fairly large file (about 10 mbytes) that was corrupted on disk. About 5-10 pages of the file (4096-byte blocks) were lost and set to zero. The file is a PGP encryption of a another file which is a 'tar' file of other smaller ASCII text files. I would like to decrypt as much of this file as possible. I know with several blank pages, I can never fully recover the file. However, most of the data is still legitimate. Is it possible to recover it with the gpg tools? To this point, I had been using the older PGP 5.0 version, but I can try gpg if it can decrypt most of the file. Have you tried decrypting the file with either PGP or GnuPG? Also, where in the file is the corruption? If the head of the file is corrupted, then you won't get your data back. The reason why is that with an OpenPGP message the file is encrypted with a symmetric encryption key (a.k.a. session key), and then the symmetric key is encrypted with the recipient's asymmetric encryption key (a.k.a. public key) and stored in a packet inside the encrypted file. This packet precedes the data packet, which contains the encrypted data. An OpenPGP message would look something like this: ++ | Various packets, including | --- Without this ... |session key packet | ++ || | Data packet | --- ... you can't decrypt that. || ++ However, if only the data packet is damaged, you may be able to get some of the data back. I experimented with this by using a tar file of a few ASCII files in order to simulate your situation. I corrupted the beginning of the file, and gpg couldn't recognize it as an OpenPGP message. Then I tried corrupting some of the end of the file, and I could successfully decrypt and extract the text files from the tar file. Out of four text files in the tar file, three were good and the last was damaged too badly to understand what its original content was. Restoring from a backup would be best, if you have one. Also, if anything that I said was unclear to you, just let me know. - -Paul - -- New Windows 7: Double the DRM, Double the fun! Learn more: http://windows7sins.org +-+ | PGP Key ID: 0x3DB6D884 | | PGP Fingerprint: EBA7 88B3 6D98 2D4A E045 A9F7 C7C6 6ADF 3DB6 D884 | +-+ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQGcBAEBCAAGBQJLobCPAAoJEJhBiuhgbQLI3QYL/0EWtWOc/0AC01jOD/uEW27O 8CJkSM0qJaDQQB+oCUeDsPUIWcX6si2v90+dpFvl7ecMi0x/aizSdVjWC9Pd6/u2 X+JWKsHw/2OKG7yKcgpozwSwdOP8fi1FjGkcKllnWrYbT0GC3G0ewCxidqs5aG4p zsojJ6pmkfqlHdw5HYreJlmBS8MGujDy48Z5hY5xhgbDboTbZoSdyWarQfOODLYR 9zYh8bOKv8oDjCMcoQuexfwxAOn9y8YdxTiunqAcW026NfZ32d4C3X0xjYCAzja8 DkGzuKtipreEG1amKG0JO44TY8hb/6/BkGNQAl4BwonGgWXEWbiWCe7OJdq77FEJ GE3wdG3T7cgi6P6TuafUm3OOL36Ay9xwBe901OfM5qW/yH9QoIJ9+5y2Ibi9fiqF JISIA3XFC40bvybizLV7kU1YP52g+g0H8QDbuv97Ssxg27MHUE8cuQT2LzOEnbQN /NSG2W3a/Y4FmaFDr5GZrQVLk3Rt52zu9Gz+RR824A== =eLxS -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: key question
Hello MFPA, I couldn't respond to your post for a while. So here it is. On Mon, 8 Mar 2010 21:38:18 + MFPA wrote: I never asserted that you said the key's originator owned the information stored in the key. I was quoting the context of what your reply about the originator having some rights was about. I would never try to insert words into your mouth. I just wanted anybody reading this after the event to be clear the quoted line about owning was not anything *I* have said. Okay. So we both misunderstood each other. Problem solved. Really, I am not interested in talking about what the law says. The law may be right, or the law may be wrong. I don't want to know what the law thinks, I want to know what you think. The legal aspect is an integral part of the answer to your question; it demonstrates that rights to privacy and to an element of control over one's personal information are not something I dreamt out of thin air. Whatever different views people may have on moral or ethical rights, there are situations where processing/storage/dissemination of personal information is the subject of an established body of legislation and legal precedent. All that is open to question is the extent and nature of privacy rights that may exist beyond the narrow set enshrined in law and the slightly wider set in documents such as ECHR. The issue of law is not an integral part of the answer to the question of what should be. It is an integral part of the answer to what is. If I were to ask you whether every day should be like Christmas, you would likely respond that every day couldn't be like Christmas. Sure, every day couldn't be like Christmas, because of the way people are, but that doesn't mean that that is the way things ought to be. The reason I wanted you to discuss what you believe without regard to the law is because the law is just another man's opinion. I was asking for only yours. For the record, I don't believe that the key holder should upload the key if the key's originator doesn't want Seeing as we are framing this in terms of rights, do you believe the holder has a right to upload in these circumstances but should not exercise that right? It depends. Are we talking about ethical rights or lawful rights. I think the key holder has the ethical and lawful rights to use and distribute the key if the key's originator doesn't forbid him. If the keyholder is forbidden, he has the lawful right, but not an ethical right. But the key holder shouldn't have to ask the originator what he may do with the key. The key holder should, by default, have freedom. But if the originator doesn't want his key disseminated, he should say so. And by the way, I apply this rule to me. But I don't believe the originator has a /right/ to prevent the key holder from sharing it. Morally and ethically, I disagree. To use an example with phone numbers: say I had a personal friend who was an insurance broker with a teenaged daughter and elderly parents. I would suggest it's perfectly in order for me to pass to a third party my mate's business number. I definitely have no moral or ethical right to pass on his daughter's or parent's numbers or his personal number. Some would argue he has a right to give me a good beating if I did. So a buddy's business number is public information, and you can share it if you like. But a /public/ key, which by default is considered publicly shareable information, isn't. I get it! So it goes like this. A business telephone number is considered by most to be shareable, and because of that, it is ethically shareable. A public key is considered by most to be shareable, and because of that, it isn't ethically shareable. In practical terms, the originator currently has no means to prevent this sharing, whether or not he has a right. In a certain narrow set of circumstances, there could be an argument for legal redress if the originator's personal information was shared. Interesting. ... [C]urrently has no means Sounds like you may want some delicious DRM. I don't believe the keyserver (or the church) is responsible for another's actions. But I wanted to see whether you thought the keyserver should be responsible. I also don't think a webhost should be deemed responsible if somebody posts unlawful material on a site or forum that happens to be hosted on their servers. I agree. I don't believe in guilt by association, including unintentional association. The rights that you are asserting are similar to copyrights. They both restrict the copying and dissemination of the information associated with them. I cannot conceive of anything other than a presumption of privacy in respect of the personal information usually present in the UIDs, and have always been amazed at the number of people displaying it openly on their public keys. I can't speak for other people, but I can for me. Take a look at the UIDs on
Re: key question
MFPA wrote: On Saturday 6 March 2010 at 8:55:48 AM, you wrote: On Sat, 27 Feb 2010 03:52:02 + MFPA wrote: (b) the person owns the information has the right to control how it is disseminated, and This was someone's re-interpretation of my point. Spot the extra ? Hello MFPA, I never asserted that you said the key's originator owned the information stored in the key. I was quoting the context of what your reply about the originator having some rights was about. I would never try to insert words into your mouth. The data subject does have various rights concerning the personal information that is about him. This is the reply you gave to Robert J. Hansen. I have asked about what you believe the limit of the rights of the originator is. I didn't ask this because I am trying to twist your words to make it seem as though you believe that the originator has a right by law to prevent the key holder from disseminating it. I used this quote, because I believe that it states, in your own words, what you have been saying, either directly or by implication, during this whole discussion thread. The concept of *owning* your personal information makes little sense. [snipped the rest of the paragraph] You have began by answering a question that I never asked. I have only asserted that you believe that the originator has some rights. I never used the word own. I used the word rights. Exactly as far as everything else that would fall under the basic right to privacy (described in Article 8 of the European Convention of Human Rights as the right to respect for private and family life). The OECD's Guidelines on the Protection of Privacy and Transborder Flows of Personal Data is a slightly more international view. http://www.oecd.org/document/20/0,3343,en_2649_34255_15589524_1_1_1_1,00.html The use, storage or dissemination of personal information is the subject of specific laws in many places, as mentioned above and linked from earlier in the thread. I'm referring to the personal information that is often present in key UIDs. Others may wish to extend similar discussion to cover the key ID/fingerprint, which I view as problematic. The key ID/fingerprint is not personal information in and of itself. But if the key is on a server, the de facto standard for key UIDs leads to, in most cases, personal information being revealed to anybody in possession of the key ID. Really, I am not interested in talking about what the law says. The law may be right, or the law may be wrong. I don't want to know what the law thinks, I want to know what you think. You say that the key's originator should control the dissemination of the key to the keyserver, (I would point out that other opinions are available and have been shared in this thread. Also, the conditional should is important since anybody in possession of the key has the *ability* to upload it whether they should or not.) I know what the others have said--I have read every posting in this thread. As for should, I intentionally chose that word. I say that if the key's originator does not disseminate said key to said keyserver, nobody else is in a legitimate position to make that decision on their behalf. If the originator actively *wanted* their key to be on that server (or network of servers), they would probably have uploaded it there. The originator may have been unaware of that server's existence. They may simply have taken no action regarding keyservers. They may have considered a particular keyserver (or network) and made a decision that they did not want their key on it. They may not want their key on any keyserver. The point is, without referring to the key originator, a third party cannot know their intentions and should not have the arrogance to presume. The OpenPGP standard and GnuPG can both be seen to concede that the key originator could have some say in the matter: the keyserver-no-modify flag was defined quite a while ago in RFC 2440 as meaning the key holder requests that this key only be modified or updated by the key holder or an administrator of the key server, and has long been set by default in GnuPG. Unfortunately, I don't see evidence that any keyservers honour this flag. For the record, I don't believe that the key holder should upload the key if the key's originator doesn't want the key in some public venue (forget the keyservers, it's about public availability). But I don't believe the originator has a /right/ to prevent the key holder from sharing it. but what about from the keyserver? Isn't the keyserver unwittingly sharing the key without the originator's permission? Difficult to answer. Good. I accomplished my goal of making you think about your position. :-) Say, for example, I was to print out your photograph, name, address, phone number, etc. and display it on a public noticeboard in the church. Would you consider that the noticeboard was unwittingly