Re: Key Capabilities
Christoph Anton Mitterer wrote: > Cryptographically it is about the same as normal signing, it simly > denotes that a key may be used to sign other keys. Jep, I just stumbled on GPG not displaying it (because I was just creating a key that will mainly be used to sign other keys). Thanks, Christoph and David for enlighting me... Olaf -- Dipl.Inform. Olaf Gellert PRESECURE (R) Senior Researcher, Consulting GmbH Phone: (+49) 0700 / PRESECURE [EMAIL PROTECTED] A daily view on Internet Attacks https://www.ecsirt.net/sensornet ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Key Capabilities
Olaf Gellert wrote: When I generate an RSA key, GPG provides the capabilities sign, encrypt and authenticate (in expert mode), but not certification. Certification is always used automatically for the primary (signing) key. If you edit your key (gpg --edit-key ) you'll see a "Usage: CS" for the primary key. Is certification somethin that is actually implemented or planned for the near future? It is actually implemented (its one of the most basic features: signing keys What usage is expected to depend on this capability? Cryptographically it is about the same as normal signing, it simly denotes that a key may be used to sign other keys. Best wishes, Chris. begin:vcard fn:Mitterer, Christoph Anton n:Mitterer;Christoph Anton org:Munich University of Applied Sciences;Department of Mathematics and Computer Science adr;quoted-printable;quoted-printable:;;Lothstra=C3=9Fe 34;M=C3=BCnchen;Freistaat Bayern;80335;Federal Republic of Germany email;internet:[EMAIL PROTECTED] tel;home:+49 89 24409568 tel;cell:+49 172 8617341 x-mozilla-html:TRUE url:http://fhm.edu/ version:2.1 end:vcard ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Key Capabilities
On Thu, Nov 17, 2005 at 02:34:06PM +0100, Olaf Gellert wrote: > Hi, > > I have read about the following key capabilites: > > - sign > - encrypt > - authenticate > - certification > > When I generate an RSA key, GPG provides the capabilities > sign, encrypt and authenticate (in expert mode), but > not certification. > > Is certification somethin that is actually implemented > or planned for the near future? What usage is expected > to depend on this capability? Certification is just the ability to sign other keys. All primary keys, by definition, are able to certify, so the flag is not very meaningful there. In GPG 1.4.2 the key generation menu doesn't show you certification as an option, but it does automatically set the flag behind the scenes. 1.4.3 is a little different. To make things clearer, 1.4.3 does show certification in the list of flags, but you can't turn it off (as this would violate OpenPGP). David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: key capabilities usage meanings
On Sun, 10 Apr 2005 08:51:23 -0400, J Wren Hunt said: > Is there any public documentation on how to implement this? The only way > I've seen thus far to implement this is to use patched versions of the > SSH daemon which I'm rather loathe to do if there's an > easier/more-supported way. Thx! The CVS version of gnupg 1.9 supports this by providing a replacement for the ssh-agent. There is one problem though: As of now you can't use gpg (1.4) with smartcards and the gpg-agent with smartcards at the same time, becuase both demand exclusive access to the reader. Its pretty annoying and I am actually working on solving it. If you don't need a background ssh process (i.e. from a cron job) there is an ugly workaround: Give gpg-agent a HUP before using gpg, so that gpg-agent will release access to the reader. Stay tuned. Salam-Shalom, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: key capabilities usage meanings
-BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 David Shaw wrote: | Authentication is signing a challenge (like ssh does). The | Authentication stuff can be used to log in to a machine using your GPG key. | Is there any public documentation on how to implement this? The only way I've seen thus far to implement this is to use patched versions of the SSH daemon which I'm rather loathe to do if there's an easier/more-supported way. Thx! - -- Cheers! J. Wren Hunt Cambridge, MA. USA - "In theory, there is no difference between theory and practice. But, in practice, there is." - Jan L.A. van de Snepscheut +--+ | v-card http://wrenhunt.homelinux.org/data/wren.vcf | | x.509http://wrenhunt.homelinux.org/data/thawte_wren_hunt.cer | | OpenPGP ADF5 1432 A59E 8F4D 4AE7 4DFE 03FA 91E1 4A24 D6F4 | +--+ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (Darwin) iD8DBQFCWSFLA/qR4Uok1vQRAy3rAJ9QqFnVlQHrbyMyAxDGvRywffnw3QCgleSy 9xBD8WIaJjSp4yPcziXKh/A= =1QSy -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: key capabilities usage meanings
On Fri, Apr 01, 2005 at 06:33:13PM +0200, [EMAIL PROTECTED] wrote: > What is the meaning of usage/capabilities listings for > keys(shown, for > example, during edit-keys interactive sessions)? > S -> sign > E -> encrypt > C -> ? > A -> ? > looking at doc/DETAILS I found > C -> certification > A -> authentication > > But I dont' understand the difference between certification, > authentication and signing. I have different keys, each for a > different internet "personality", and I noticed that one primary key > is listed as CSA and another CS. The two keys were generated with > the same options (DSA for signing +ElGamal subkey for pubkey > encryption), so why this difference? Probably they were generated with two different versions of GnuPG. The "A" authentication type is fairly recentl. Signing is signing data (i.e. gpg --sign the_file) Certification is signing a key (i.e. gpg --sign-key the_key) Authentication is signing a challenge (like ssh does). The Authentication stuff can be used to log in to a machine using your GPG key. The signature math is the same however you do it. The key usage flags are just to classify things. > Another question: I read in manpage that MDC is enabled by default > with newer ciphers(blocksize>64bit) and with CAST5. So why when you > decipher a symmetrically encrypted message you get "WARNING: message > was not integrity protected" and only with --force-mdc the warning > goes away? Not with CAST5. CAST5 has a blocksize of 64 bits. David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users