Re: FAQ, take two
On Tue, 5 Jun 2012 22:26, kloec...@kde.org said: Supports GnuPG versions: 1.4, 2.0 FWIW: Kontact Touch has been developed against GnuPG 2.1. I am not sure whether it works with 2.0. The Linux version will likely work but the WindowsCE version won't work - but well, nobody is using the latter. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: FAQ, take two
On Tue, 5 Jun 2012 19:22, r...@sixdemonbag.org said: I can add these: it shouldn't be a problem. The reason I'm using XHTML, incidentally, is to make it as easy as possible for you to convert it into org-mode: an hour's work with a SAX parser should be able to take care of most of it. If I knew the first thing about org-mode I'd write the script myself. org-mode is pretty easy to understand. The current faq.org should be sufficent as an example. Redering it to txt and html is a quick 10 lines rule in doc/Makefile.am. Add ~4 lines for each other format (PDF, ODT, Latex, XOXO, DocBook). Let me give the conversion a try once you are finished. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: FAQ, take two
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 05/06/12 02:36, Robert J. Hansen wrote: I believe the etiquette is that the signed key block should be returned to the certificate's owner, for her/him to do what he/she deems convenient, e.g. upload it to a keyserver. I haven't found widespread belief this is a community norm. There's a vocal segment that believes one or more of this is a community norm, it must be a community norm, it is morally and/or ethically wrong if it is not a community norm -- but it's a segment, and doesn't seem to be shared by the whole of the community. The signer himself/herself should not upload the sign key block to a key server, or publish it in any other way, without the certificate's owner explicit authorization or request. By what right can I -- or anyone on this list -- claim the authority to declare what members of the community should or shouldn't do? I'm writing a FAQ, not establishing community norms. I don't mind writing the FAQ, but I do mind trying to impose norms. It's not something I'm comfortable with. (Besides. If I tried, people would laugh at me, and deservedly so.) It's reasonable to present the controversy, and I'll make mention of it in the next revision. That's as far as I'll go. FWIW, until I read somebody complaining about people uploading key signatures, instead of sending them to the key owner, it never occurred to me that it could possibly be a problem for anyone. My immediate thought on reading it for the first time was that if it's a bad thing, then the keyservers should prevent it. Even if it was obviously a bad thing, people would still do it. So if it's completely morally ambiguous, and possible, it's going to happen. No amount of documentation or education will change that. I mean, technically it should be easy for the keyservers to email the owner of a key to ask if a signature should be accepted. Or to refuse uploaded signatures unless they are themselves signed by the owner of the key. If it really is a problem, then it can be fixed with code. Of course, ultimately Werner is the one who gets thumbs-up or thumbs-down on this -- if it's to someday become the official FAQ, then he gets final signoff authority. So if you disagree, feel free to pitch it to him, but you've heard my position on it. :) Doesn't matter what the FAQ says in this regard. It will continue to happen unless the key servers actively prevent it. - -- Mike Cardwell https://grepular.com/ http://cardwellit.com/ OpenPGP Key35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F XMPP OTR Key 8924 B06A 7917 AAF3 DBB1 BF1B 295C 3C78 3EF1 46B4 -BEGIN PGP SIGNATURE- iQGGBAEBAgBwBQJPzc/JMBSAACAAB3ByZWZlcnJlZC1lbWFpbC1lbmNvZGlu Z0BwZ3AuY29tcGdwbWltZTgUgAAVABpwa2EtYWRkcmVzc0BnbnVwZy5vcmdt aWtlLmNhcmR3ZWxsQGdyZXB1bGFyLmNvbQAKCRCdJiMBwdHnBJaOCACjRmIiftT3 1TrQgtsh22xVOCzFJ9rasilQSrIvtZo3yO/S/ov9z37IEn3xeHC3R9xc3jHC2BJ1 9tCrK6OS8SBgWS4o6zzEB9isfULG7466ljeZgc9Oe8kBZONJkHVQ5Tp8x7cCOaHV xhFtO7LX9na4YzL+1ZtwjWTeMR0+H93MKU0KhexhwS0VcU8S5hWu63/xIYB+YrAO mHR/klnTvWym+KEsjUyfBLquLQ+xYZA4iKTBsKBMYHLpp2eDGIru8xDB6a3gzUYB OiiZYXS1sZRZZqd5JbB/SHEM6NMn7U3IpIkLeAAivGoWbPq2ZmAsf/U+jVD9Fv5I HZ2VhX4eEydA =PHqH -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: FAQ, take two
On 6/5/2012 5:22 AM, gn...@lists.grepular.com wrote: FWIW, until I read somebody complaining about people uploading key signatures, instead of sending them to the key owner, it never occurred to me that it could possibly be a problem for anyone. I'll go one step further: my personal belief is that this pursuit is a fool's errand. What people are really asking for is a concept the military calls ORCON, for ORiginator CONtrol [1]. The idea is that with ORCON data the person or agency that originated the data gets absolute control over how the data is disseminated and how it may be released. To do ORCON within the context of public-key certificates, we would need: 1. Infrastructure. The keyserver-no-modify flag is a nice idea, but no keyserver currently honors it. 2. Training. ORCON is a hard thing to pull off, and requires that the originator and those who come into contact with the data know how to treat ORCON data. That's simply not going to happen. 3. Accountability. There needs to be some way or ways to detect ORCON violations and handle offenders appropriately (social condemnation). But there's no way to tell who uploads a certificate to a keyserver. If Bob signs Alice's key and Charlie, Bob's roommate, who has access to Bob's public keyring, later uploads Alice's certificate to the keyserver, it makes no sense to blame Bob (the signer) for what Charlie did (violate ORCON). But since there's no way to trace it back to Charlie... Once those three are addressed then I'll take the I want ORCON crowd seriously. Until then, my response to the ORCON crowd is I want stronger beer and honest politicians. I think it's foolish to try to establish a social norm which offenders cannot be identified and the norm cannot be enforced. That doesn't mean I think Charly's wishes shouldn't be respected: he's made his wishes clear and I think decent people will respect them. But there's a difference between saying I'll respect the desires of someone who makes their wishes on this subject clear and there is a social norm which must be upheld. [1] http://en.wikipedia.org/wiki/Classified_information_in_the_United_States#Handling_caveats ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: FAQ, take two
Hi, IMHO (Open)PGP's good repudiation comes to great extend from the fact, that it does not require rigor policies to use the keys. It is an ad-hoc scheme and that is what differences it from S/MIME and PKIX. It was my fault that I once set the no-modify flag for all new keys. In practice this flag is useless. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: FAQ, take two
The signer himself/herself should not upload the sign key block to a key server, or publish it in any other way, without the certificate's owner explicit authorization or request. The new text reads, Finally, if you have elected to make a normal signature you may wish to upload the newly-signed certificate to the keyserver network so that other users may benefit from seeing your assurance of the certificate’s authenticity. This may be done by typing gpg2 --keyserver pool.sks-keyservers.net --send-key certificate ID. However, some people consider it rude or offensive for others to upload their certificates without their express permission. It may be worthwhile to check with the certificate owner before doing this. ... Since the text is now relatively stable, it's time for me to begin doing a detail pass. As part of this, I'm going to be reorganizing the text and layout. If anyone has recommendations about this, please speak up now. With luck, we can have this thing to Werner by the end of the week. :) ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: FAQ, take two
On Tue, 5 Jun 2012 13:24, r...@sixdemonbag.org said: text and layout. If anyone has recommendations about this, please speak up now. With luck, we can have this thing to Werner by the end of the Some time ago I added custom ids to most questions; for example: ** What is the recommended key size? :PROPERTIES: :CUSTOM_ID: what-is-the-recommended-key-size :END: The idea is that we can change the question but keep links to the FAQ intact. I guess it will be my work to re-add them while I convert them to org-mode. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: FAQ, take two
On Mon, Jun 04, 2012 at 09:11:13PM +0200 Also sprach Werner Koch: On Mon, 4 Jun 2012 18:35, lists.gn...@mephisto.fastmail.net said: require extensive manual configuration for it to work properly (but if you're using Mutt, you already know that). See http://wiki.mutt.org/?MuttGuide/UseGPG for configuration details. That is not true: Put set crypt_use_gpgme into the ~/.muttrc and you don't need any of the other configure options. Mutt must have been compiled with GPGME support. Check using mutt -v | grep +CRYPT_BACKEND_GPGME Debian builds with gpgme support. Apparently so does Red Hat/Fedora; the mutt package in the repos has this feature included. The default MacPorts configuration, however, did not; I had to recompile (which was easy using the port command). I don't know if this is a coincidence or not, but I will mention that for the first time in a long while, Mutt segfaulted when I tried to open a message on the gnupg mailing list... presumably when it tried to call gnupg to do an automatic signature verification? Other signatures have verified fine since I switched to using gpgme; I'm hoping this will prove to be an isolated incident, related to the structure of that one signature (it does it every time I try to open that message). In any case, thanks for the tip. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: FAQ, take two
On Tue, 5 Jun 2012 15:24, lists.gn...@mephisto.fastmail.net said: I don't know if this is a coincidence or not, but I will mention that for the first time in a long while, Mutt segfaulted when I tried to open a message on the gnupg mailing list... presumably when it tried I see two reasons for it: - It is many years since I wrote the gpgme backend code and restructured Mutt's crypto stuff. There is certainly some bit rot. - This feature is not well known and thus not anymore well tested. I don't use Mutt anymore for regular mail processing and thus I am not affected (I know, that this is a lame excuse). Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: FAQ, take two
On 6/5/12 8:56 AM, Werner Koch wrote: Some time ago I added custom ids to most questions; for example: I can add these: it shouldn't be a problem. The reason I'm using XHTML, incidentally, is to make it as easy as possible for you to convert it into org-mode: an hour's work with a SAX parser should be able to take care of most of it. If I knew the first thing about org-mode I'd write the script myself. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: FAQ, take two
On Monday 04 June 2012, Robert J. Hansen wrote: Also, if there are any questions you feel are missing, throw them out too. Thank you! An addition for 4.11: Kontact [http://userbase.kde.org/Kontact]/Kontact Touch [http://userbase.kde.org/Kontact_Touch] Plugin? No (natively supported) Supports GnuPG versions: 1.4, 2.0 Supports pgp/mime? Yes (and inline PGP) Actively developed? Yes Project blurb: Kontact is the integrated Personal Information Manager (mail, address book, calendar, etc.) of KDE. It runs on Linux, various unices, and, as Kontact Touch, on a few mobiles. There is also an alpha version running on Windows [http://wiki.kolab.org/Kontact_for_Windows_(Enterprise-5)]. The GnuPG support is mature and RFC 3156-compliant. Feel free to shorten the blurb (e.g. the bit about the supported platforms). Side note: Support for PGP/MIME (and S/MIME) in Kontact (and Mutt) was developed as part of the Aegypten (http://gnupg.org/aegypten/) and Aegypten2 [http://gnupg.org/aegypten2/] projects among others by the people behind GnuPG. Regards, Ingo signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: FAQ, take two
On 6/4/12 12:35 PM, Kevin Kammer wrote: Section 2.6: For Solaris 11, gnupg is also available via the default IPS publisher. The version Oracle provides is 2.0.17 vs 2.0.18 from OpenCSW, but it is worth mentioning as it may satisfy parties who are unwilling (or unable) to install via 3rd-party software sources. I am unfortunately Solaris-impaired: IPS publisher? If you could provide a sentence or two explaining this (preferably in the same general format/wording as the other sections), I'd appreciate it greatly. Section 4.11 Should almost certainly mention GnuPG integration with Evolution, which is still the default Gnome email client on many *nix distros. D'oh, yes. Although I don't know if they support inline signatures yet. I know they support PGP/MIME (rather obsessively) and that inline signatures have been a requested feature, but I'd need someone to confirm the status there -- as well as whether it supports GnuPG 1.4 or 2.0. Also, for Mutt, I believe I can help with some of the FIXMEs: Thank you! General comment: For users completely new to GnuPG (and encryption in general), the use of the related terms certificate and key throughout the FAQ may be confusing. Questions like What's a certificate? What's a key? and What's the difference? may deserve an explanation someplace. A good place might be in the Terminology section, which itself should perhaps appear earlier in the FAQ. A good point. I'll introduce it, but for now I'm going to leave the overall numbering intact -- reorgs should take place once the document is stable, not while there's still churn. :) ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: FAQ, take two
On Mon, 4 Jun 2012 18:35, lists.gn...@mephisto.fastmail.net said: require extensive manual configuration for it to work properly (but if you're using Mutt, you already know that). See http://wiki.mutt.org/?MuttGuide/UseGPG for configuration details. That is not true: Put set crypt_use_gpgme into the ~/.muttrc and you don't need any of the other configure options. Mutt must have been compiled with GPGME support. Check using mutt -v | grep +CRYPT_BACKEND_GPGME Debian builds with gpgme support. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: FAQ, take two
Robert J. Hansen 4fcc11f2.6050...@sixdemonbag.org June 4, 2012 4:22:54 PM wrote: [snip] Also, if there are any questions you feel are missing, throw them out too. Thank you! Section 4.7 How do I validate another person’s certificate? does not deal with what one should do once she/he has signed another person's certificate (after completing the validation process). I believe the etiquette is that the signed key block should be returned to the certificate's owner, for her/him to do what he/she deems convenient, e.g. upload it to a keyserver. The signer himself/herself should not upload the sign key block to a key server, or publish it in any other way, without the certificate's owner explicit authorization or request. That may be hair splitting and not etiquette, but I believe the issue should be clarified. I have had at least two of my certificates signed by someone with whom I had never gone through any kind of validation process, or even discussed the possibility of such a process. The person just signed my certificate and uploaded it to a keyserver. End of rant. Charly. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: FAQ, take two
On 6/4/2012 4:39 PM, Charly Avital wrote: I believe the etiquette is that the signed key block should be returned to the certificate's owner, for her/him to do what he/she deems convenient, e.g. upload it to a keyserver. I haven't found widespread belief this is a community norm. There's a vocal segment that believes one or more of this is a community norm, it must be a community norm, it is morally and/or ethically wrong if it is not a community norm -- but it's a segment, and doesn't seem to be shared by the whole of the community. The signer himself/herself should not upload the sign key block to a key server, or publish it in any other way, without the certificate's owner explicit authorization or request. By what right can I -- or anyone on this list -- claim the authority to declare what members of the community should or shouldn't do? I'm writing a FAQ, not establishing community norms. I don't mind writing the FAQ, but I do mind trying to impose norms. It's not something I'm comfortable with. (Besides. If I tried, people would laugh at me, and deservedly so.) It's reasonable to present the controversy, and I'll make mention of it in the next revision. That's as far as I'll go. Of course, ultimately Werner is the one who gets thumbs-up or thumbs-down on this -- if it's to someday become the official FAQ, then he gets final signoff authority. So if you disagree, feel free to pitch it to him, but you've heard my position on it. :) ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: FAQ, take two
Robert J. Hansen 4fcd629e.8010...@sixdemonbag.org June 4, 2012 10:38:58 PM wrote: [...] It's reasonable to present the controversy, and I'll make mention of it in the next revision. That's as far as I'll go. Fair enough, and thanks. Of course, ultimately Werner is the one who gets thumbs-up or thumbs-down on this -- if it's to someday become the official FAQ, then he gets final signoff authority. So if you disagree, feel free to pitch it to him, but you've heard my position on it. :) I agree to your position. Charly ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
FAQ, take two
The unofficial FAQ is approaching completion. At this point I think it's about two-thirds done. By this I mean most of the writing is complete. Every FAQ entry should have at least a couple of sentences of text. Some will have more, some less. This FAQ is not meant to be a GnuPG tutorial, reference manual, or HOWTO. For that reason most of the FAQs about how do I... are really just brief sentences listing commands that are useful, with the intent being people will look those commands up in manuals, HOWTOs, manpages, or whatnot. I'm not interested in bikeshedding over grammar or word choices. If I let everyone on this list play editor then this FAQ will never get completed. For that stuff I've asked a couple of friends with good technical writing skills to look over it, and their proposals are probably going to get adopted. What I *am* interested in, though, are content errors. It is quite likely I have a few in there, and maybe even a few howlers. So please, take a look and see what you think. Also, if there are any questions you feel are missing, throw them out too. Thank you! http://keyservers.org/~rjh/gnupgfaq.xhtml ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users