Re: Trust signature domain

2017-01-18 Thread John Lane 
On 18/01/17 15:39, Damien Goutte-Gattat wrote:

> 
> I believe there's a bug in the handling of the regular expression
> associated with a trust signature. I've just submitted a patch to fix it
> [1]. With that patch applied, I get the expected result for step 10
> (Blake's key is fully valid, not the others') and step 14 (Blake's key
> is fully valid, and so are Chloe's and David's keys).

thanks for that. I thought I was going mad!
I will look out for an update that contains your patch...

> 
> For step 16, none of the keys are valid, but I think that's the expected
> behavior: you signed Introducer with a level 2 trust signature
> restricted to example.es, so the signature of Blake's key (which as an
> example.org UID) is rightly ignored. Blake's key is thus of unknown
> validity and his signatures on Chloe's and David's keys are ignored as
> well.

I agree, I added that test because I wondered if I had misunderstood how
it ought to work.

> 
> (Side note: you can use the '%transient-key' directive when
> batch-generating keys for testing purposes. This instructs GnuPG to use
> a less secure but faster random number generator, thus speeding up the
> generation process.)
> 

I don't know how I missed that... right below %no-protection which I did
use :)

much appreciated your fast response to my query.



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Trust signature domain

2017-01-18 Thread Damien Goutte-Gattat 

Hi,

On 01/18/2017 03:51 PM, John Lane wrote:

I think things look ok up to step 9 and point (a) and (b) appear to work
as I expect but (c) doesn't. I'd really appreciate some feedback about
what is happening in:
step 10 (trust level 1 restricted to example.org)
step 14 (trust level 2 restricted to example.org)
step 16 (trust level 2 restricted to example.es)

It would appear that any domain restriction disables trust completely!


I believe there's a bug in the handling of the regular expression 
associated with a trust signature. I've just submitted a patch to fix it 
[1]. With that patch applied, I get the expected result for step 10 
(Blake's key is fully valid, not the others') and step 14 (Blake's key 
is fully valid, and so are Chloe's and David's keys).


For step 16, none of the keys are valid, but I think that's the expected 
behavior: you signed Introducer with a level 2 trust signature 
restricted to example.es, so the signature of Blake's key (which as an 
example.org UID) is rightly ignored. Blake's key is thus of unknown 
validity and his signatures on Chloe's and David's keys are ignored as well.


(Side note: you can use the '%transient-key' directive when 
batch-generating keys for testing purposes. This instructs GnuPG to use 
a less secure but faster random number generator, thus speeding up the 
generation process.)


Damien

[1] https://lists.gnupg.org/pipermail/gnupg-devel/2017-January/032472.html



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Trust signature domain

2017-01-18 Thread John Lane 
On 18/01/17 03:03, David Shaw wrote:

> 
> Can you post the actual user IDs of the keys you are testing with (or a 
> similar example.com set) so I can try them as well?

Hi David,

I have written a test shell script to experiment with trust signatures.
The script is at https://git.io/vMXMQ

There are six participants: 'myself', who knows 'introducer' who knows
'alice' and 'blake'. 'blake' knows 'chloe' and 'david'

'introducer' signs 'alice' and trust-signs 'blake', who signs 'chloe'
and 'david'

'myself' trust-signs 'introducer'

I'm working on the belief that:

(a) by trust-signing introducer at level 1, any keys certified by
introducer (i.e. alice and blake) become valid for me.
(b) by trust signing introducer at level 2 I extend (a) so that any keys
certified by a key trust-certified by introducer (blake) also become
valid for me (chloe and david).
(c) by trust signing with a domain restriction I limit the scope of (a)
and (b) but it is not clear to me how this applies.

I think things look ok up to step 9 and point (a) and (b) appear to work
as I expect but (c) doesn't. I'd really appreciate some feedback about
what is happening in:
step 10 (trust level 1 restricted to example.org)
step 14 (trust level 2 restricted to example.org)
step 16 (trust level 2 restricted to example.es)

It would appear that any domain restriction disables trust completely!

My test output is at https://git.io/vMXDa

Much appreciated.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Trust signature domain

2017-01-17 Thread David Shaw 
On Jan 16, 2017, at 11:52 AM, John Lane  wrote:
> 
> I'm trying to experiment with trust signatures but I can't work out how
> the 'domain' question is used ?
> 
> I think I understand what it is for, but I can't enter a value and get
> it to work.
> 
> I have a key A that has signed b...@example.com and c...@example.org
> 
> If I tsign A at level 2 with the domain blank then B and C are fully valid.
> 
> If I tsign A at level 2 with a domain of example.com then neither are
> valid. I expected B to be valid.
> 
>> From what I've read, I think this value might be a regular expression
> and need to be entered in a certain way.

The value is a regular expression internally, but you don't need to enter it as 
one.   GnuPG automatically takes what you enter into the domain field and 
converts it to a regexp.  For example:

  example.com

becomes:

  <[^>]+[@.]example\.com>$

Can you post the actual user IDs of the keys you are testing with (or a similar 
example.com set) so I can try them as well?

David


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Trust signature domain

2017-01-17 Thread Loy Fortner 
I don't know what you are talking about

On Jan 17, 2017 3:33 PM, "John Lane"  wrote:

> On 17/01/17 19:51, Peter Lebbing wrote:
>
> > Seems like an extended regexp with a mistake. The dot would actually
> match any
> > character, it needs to be quoted:
> >
>
> Quite right, but it would match a dot too!
>
> I did try it with and without an escape without success.
>
> There seems to be very little information available about this feature
> beyond the high-level description in the prompt output from gpg.
>
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Trust signature domain

2017-01-17 Thread John Lane 
On 17/01/17 19:51, Peter Lebbing wrote:

> Seems like an extended regexp with a mistake. The dot would actually match any
> character, it needs to be quoted:
> 

Quite right, but it would match a dot too!

I did try it with and without an escape without success.

There seems to be very little information available about this feature
beyond the high-level description in the prompt output from gpg.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Trust signature domain

2017-01-17 Thread Peter Lebbing 
On 17/01/17 18:17, John Lane wrote:
> <[^>]+@example.net>$

Seems like an extended regexp with a mistake. The dot would actually match any
character, it needs to be quoted:

<[^>]+@example\.net>$

(and quoted even further if provided through a shell).

I hope I didn't miss any other mistakes.

(I haven't actually tried to do anything at all with trust signatures, I just
noticed a mistake while reading your message.)

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Trust signature domain

2017-01-17 Thread John Lane 

>> I'm trying to experiment with trust signatures but I can't work out how
>> the 'domain' question is used ?
>>
the only thing I've been able to find is this regular expression

|<[^>]+@example.net>$|

(http://linuxfr.org/users/gouttegd/journaux/de-la-confiance-dans-le-monde-openpgp#limitation-du-champ-des-trust-signatures)

I still can't make it work though!

FWIW gpg (GnuPG) 2.1.17
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Trust signature domain

2017-01-16 Thread John Lane 
I'm trying to experiment with trust signatures but I can't work out how
the 'domain' question is used ?

I think I understand what it is for, but I can't enter a value and get
it to work.

I have a key A that has signed b...@example.com and c...@example.org

If I tsign A at level 2 with the domain blank then B and C are fully valid.

If I tsign A at level 2 with a domain of example.com then neither are
valid. I expected B to be valid.

>From what I've read, I think this value might be a regular expression
and need to be entered in a certain way.

Any pointers appreciated.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users