Re: ideal.dll // fixing thread breaking
On Fri, Jun 29, 2012 at 01:45:17PM -0400, Robert J. Hansen wrote: IMO, if your client is showing correct PGP/MIME signatures on this list, you should file a defect report about your client. The message has been changed in transit and is no longer in the exact same state as it was when the sender issued it. The change may be trivial, but it's still a change, and IMO it is not the job of the MUA to try and fix the botchery inflicted by GNU Mailman. The correct thing to do, IMO, is to report to the user the true state of affairs: the signature is not correct and the message appears to have been altered in transit. I don't understand this. Mutt verifies the signature correctly, but Mutt is calling GnuPG externally. If the message was signed with a space, and if the space is being replaced by a tab character, then the signature should fail. Because it is not failing, is telling me that it was initially a tab when you signed the mail, and something either mangled it to be a space, or your diff(1) is reading a text that mangled the tab to a space. I don't see how this is the failure of the MUA, but GnuPG says the signature verifies. -- . o . o . o . . o o . . . o . . . o . o o o . o . o o . . o o o o . o . . o o o o . o o o pgpSYeACP6BFj.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: ideal.dll // fixing thread breaking
On Fri, 29 Jun 2012 13:45:17 -0400 Robert J. Hansen r...@sixdemonbag.org wrote: Hello Robert, IMO, if your client is showing correct PGP/MIME signatures on this list, you should file a defect report about your client. It certainly warrants investigation. I'll check bug tracker and ML archives to see if it's known first. -- Regards _ / ) The blindingly obvious is / _)radnever immediately apparent What do you call that noise, that you put on? This Is Pop - XTC signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: ideal.dll // fixing thread breaking
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, On 28.06.2012 18:55, Brad Rogers wrote: On Thu, 28 Jun 2012 18:24:32 +0300 Mika Suomalainen mika.henrik.mai...@hotmail.com wrote: Hello Mika, Were you able to verify that signature? Several people use PGP/MIME, all of which verify here, and include the list headers you seem to be saying get removed. Not only on this list, but many other lists, too. I have seen weirdness with *footers* and PGP signed messages, but that is with footers not being displayed, rather than being removed. Checking message source shows that they are still there. I am using Enigmail and I cannot verify any PGP/MIME signatures on this list. They just appear as attachment: signature.asc and aren't recognizes as PGP/MIME signatures. This is why I have P-R rule to use PGP/INLINE on this list and others which I know to fail with PGP/MIME. - -- [Mika Suomalainen](https://mkaysi.github.com/) || NOTICE! I am on mobile broadband with very limited time, so I cannot read emails very much. The best time to contact me is probably weekends when I have better connectivity with good luck. [gpg --keyserver pool.sks-keyservers.net --recv-keys 4DB53CFE82A46728](http://mkaysi.github.com/PGP/key.txt) || [Why do I sign my emails?](http://mkaysi.github.com/PGP/WhyDoISignEmails.html) || [Do you have problems verifying my PGP/MIME signature on mailing list?](http://mkaysi.github.com/PGP/PGP-MIME.html) || [Please don't send HTML.](http://mkaysi.github.com/articles/complaining/HTML.html) || [This signature](https://gist.github.com/2643070#file_icedove.md) [Please reply below this line](http://mkaysi.github.com/articles/complaining/topposting.html) -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.19 (GNU/Linux) Comment: Homepage: http://mkaysi.github.com/ Comment: gpg --keyserver pool.sks-keyservers.net --recv-keys 82A46728 Comment: Public key: http://mkaysi.github.com/PGP/key.txt Comment: Fingerprint = 24BC 1573 B8EE D666 D10A AA65 4DB5 3CFE 82A4 6728 Comment: See my Icedove / Thunderbird guide here http://git.io/YUDk8g Comment: See my GPG guide here http://git.io/5KWssQ Comment: See my Enigmail guide here http://git.io/bXla3g Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJP7ViQAAoJEE21PP6CpGcoKAIP/0kwEeZ3OEZaRY5hLCgozt6E dnil3lxthW5Y1c4+m166CP10wnaVlAvx5LK/ZOaLZ8rt34NXzeQ6jWTCjXb+imSG KJb74YhKTfZ/d6L45+e9Bt/AZLTUJTPt6/TFPZnkESCN3SIhPkio1F1LVgSvqani OTepkHd7E3wnGBJhkpeHcNDnQ0DjFTNrpIMY4OooU/9sBZFu+0+QHuhiO5UKShcI curBpuQRZnEx8qS9+ihi991mNv3zkGP57HLcphq4pY8BuDfH+hd91cAyXmhrDiH6 fhdMR2x46/9Nw1Il7OZ+1odsoSR3n0Y8F/xDoFJla/Rr061WFjVzJqZk7htJh/Yo GMK3SWK8FUx0/wiAnO2WN/kl0fRl57jmx6BXm+picLOWcX/uYi6TrnXynOZnLCDa X/uRVihrfmh3vhd+14NXoskln5JQVGS04sSWlLPsjjQNkyHtPG1bRjG496NujYT3 lZzXaucqCZxtIqebr9Q7UtbnBRCIxH7HQmJHeayuYj/c5xeFZpqzzIEZ54Ez0Pa4 NziwzZVzvhkcjQ0/C293tAgniYBYjA75PYKsZz7MiDmsJrhLeAXdYkLWta5UIHMd XFUBUV8Y2ThejlO6EZ2ZFDmvVEKwrkJHNUy2ZdSgHv3HBEdTjMV2nvqeHVHH6mUH Dj2gmnhAxpWIWuFrUCNx =pdN/ -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: ideal.dll // fixing thread breaking
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 28.06.2012 21:50, Peter Lebbing wrote: On 28/06/12 17:24, Mika Suomalainen wrote: Were you able to verify that signature? I don't believe my Enigmail is willing to check any PGP/MIME signatures for me... must be something broken with the installation. I don't really pay attention to signatures on this mailing list, and this is the only place I come across PGP/MIME. If you ask on Enigmail mailing list, they will tell you that that issue is with Mailman (or other mailing list software) which messes up with headers and makes PGP/MIME unverifiable. They will also say that this is why they recommend PGP/INLINE, it's more resistant to messing by mailing list software. - -- [Mika Suomalainen](https://mkaysi.github.com/) || NOTICE! I am on mobile broadband with very limited time, so I cannot read emails very much. The best time to contact me is probably weekends when I have better connectivity with good luck. [gpg --keyserver pool.sks-keyservers.net --recv-keys 4DB53CFE82A46728](http://mkaysi.github.com/PGP/key.txt) || [Why do I sign my emails?](http://mkaysi.github.com/PGP/WhyDoISignEmails.html) || [Do you have problems verifying my PGP/MIME signature on mailing list?](http://mkaysi.github.com/PGP/PGP-MIME.html) || [Please don't send HTML.](http://mkaysi.github.com/articles/complaining/HTML.html) || [This signature](https://gist.github.com/2643070#file_icedove.md) [Please reply below this line](http://mkaysi.github.com/articles/complaining/topposting.html) -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.19 (GNU/Linux) Comment: Homepage: http://mkaysi.github.com/ Comment: gpg --keyserver pool.sks-keyservers.net --recv-keys 82A46728 Comment: Public key: http://mkaysi.github.com/PGP/key.txt Comment: Fingerprint = 24BC 1573 B8EE D666 D10A AA65 4DB5 3CFE 82A4 6728 Comment: See my Icedove / Thunderbird guide here http://git.io/YUDk8g Comment: See my GPG guide here http://git.io/5KWssQ Comment: See my Enigmail guide here http://git.io/bXla3g Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJP7Vm6AAoJEE21PP6CpGcoSk0QAJDohRivi3DXfcqaabQ8vbYZ ax+sATQiTo2waMtLres0Qq4Vr/+a6x0Audu8xMpdsbLgG14FCNX+pOhuw2iw6ujD l4WQZoN5kWDCCrlHeImdIemC3bsVJyIN6p/YDCpl7MuHFOEJ+1ePSAphMjGSyT32 WVuorRJ9jil89/oCHmwnX2iWbIUwU4Vtm4j9G6tctDtS5/pGzga5YWDKqkGG6A2D LYYTYACBjPUmp6BHsMDURmMfCnCWVoRZQG2lG7TLrx7HIsfP1fHQkKL1jQdmfWjN GweC5CQtzl+BZJcYa/coppL9gBTbEzr7/n46139H/TaQCktU8Kbc760VObkF70n5 EOHxDHkqhJLEq3aHkxu8S2KMWo1PEh2ZPAHE2GXvC/ghdz7yFBWmnvKAP8cDdDaB PPBmMpKg5LD6GRu3zpwwgvWKvxTiNvO+NIVKlBy9RTEDr4Y2GKpW0V2Qk4jHEVbj 9Vy6301e0YNev3knEuDghwjo8kkG5AXz4ir0R0+qdTzLchnfr2KZxZMK5BepxKAM G5emgFLl3bJAb/Cf9JlI/M8VPmRyUZDXPIeh+ND7q8JgR95lcWeoaZ8dU6A0HJfO O8y+rkb926fIuSkT0gLQBtYf9wTLX6W5vwmqfn1LkJBWgRY/97bw+PjPrn7tXq77 RtcBg7rEfsjR0Fuvo1YU =yeiO -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: ideal.dll // fixing thread breaking
On 27.06.2012 18:33, Peter Lebbing wrote: For future reference, that URL is in the headers of every mail you get from the list, btw. -- [Mika Suomalainen](https://mkaysi.github.com/) || NOTICE! I am on mobile broadband with very limited time, so I cannot read emails very much. The best time to contact me is probably weekends when I have better connectivity with good luck. [gpg --keyserver pool.sks-keyservers.net --recv-keys 4DB53CFE82A46728](http://mkaysi.github.com/PGP/key.txt) || [Why do I sign my emails?](http://mkaysi.github.com/PGP/WhyDoISignEmails.html) || [Do you have problems verifying my PGP/MIME signature on mailing list?](http://mkaysi.github.com/PGP/PGP-MIME.html) || [Please don't send HTML.](http://mkaysi.github.com/articles/complaining/HTML.html) || [This signature](https://gist.github.com/2643070#file_icedove.md) [Please reply below this line](http://mkaysi.github.com/articles/complaining/topposting.html) ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: ideal.dll // fixing thread breaking
On Fri, 29 Jun 2012 10:31:09 +0300 Mika Suomalainen mika.henrik.mai...@hotmail.com wrote: Hello Mika, If you ask on Enigmail mailing list, they will tell you that that issue is with Mailman (or other mailing list software) which messes up with headers and makes PGP/MIME unverifiable. They will also say that Headers are outside what is signed, surely? Changing, adding or removing headers should have no bearing on the validity of PGP signatures. If header changes were involved, nothing would be verifiable, because every mail server an email passes through adds at least on more piece of info to those headers. TBH, I'd have thought the issues you're experiencing are more likely to be caused by Hotmail. -- Regards _ / ) The blindingly obvious is / _)radnever immediately apparent Your life is like a schedule, you run to meet the bills Life Kills - Human League signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: ideal.dll // fixing thread breaking
On 06/29/2012 08:06 AM, Brad Rogers wrote: If you ask on Enigmail mailing list, they will tell you that that issue is with Mailman (or other mailing list software) which messes up with headers and makes PGP/MIME unverifiable. They will also say that Headers are outside what is signed, surely? Mika is more or less right, except it isn't headers -- it's the PGP/MIME attachment separator. Mailman makes a very slight tweak and that's enough to bollix up the signature. This mailing list does not play nice with PGP/MIME, the last time I checked. (For a long time Enigmail's list didn't, either, but that problem has since been fixed.) In general, PGP/MIME with GNU Mailman is always a roll of the dice. begin speaking-for-Enigmail And yes, Mika is right: that's why Enigmail recommends inline OpenPGP. We've all seen PGP/MIME break in too many different contexts. For instance, I've seen MTAs that strip off attachments, inspect the attachments for malware, then re-attach them but with very slight differences that break PGP/MIME. I've seen MUAs that can't understand it, mailing list software that breaks it, and so on. PGP/MIME is a superior technical standard, but it's quite fragile. We believe PGP/MIME is the clear choice *if possible*, but given how often it's not possible we recommend inline OpenPGP by default. end speaking-for-Enigmail (This message is PGP/MIME signed. I know my system works correctly with PGP/MIME and that neither my MUA nor MTA mangle it. If it's not coming through, the most likely culprit is the list's GNU Mailman installation.) signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: ideal.dll // fixing thread breaking
Hey all, not meaning to spark up new discussions about this issue (we've had that before). But I really think, the energy invested in this discussion would be better invested in writing mailman tweaks. Also, someone mentioned, that there already in fact *is* a mailman patch for PGP/MIME to work properly? Do I recall that memory correctly? I'm stunned that this issue keeps coming up. http://www.gnu.org/software/mailman/ says Mailman 2.1.15 has been released on 13-June-2012. Is the patch in question included in that release? Imo, things should rather move forward than stagnate and arguing that a mailing list software breaks PGP/MIME is fine. But as a consequence arguing for a non documented standard (OpenPGP Inline) is strange. I'd rather argue, that mailman needs a fix. Let's not start a war over this. But could someone please elaborate why mailman after such a long time still breaks PGP/MIME? All the best and kind regards, steve Am 29.06.2012 um 17:48 schrieb Robert J. Hansen: On 06/29/2012 08:06 AM, Brad Rogers wrote: If you ask on Enigmail mailing list, they will tell you that that issue is with Mailman (or other mailing list software) which messes up with headers and makes PGP/MIME unverifiable. They will also say that Headers are outside what is signed, surely? Mika is more or less right, except it isn't headers -- it's the PGP/MIME attachment separator. Mailman makes a very slight tweak and that's enough to bollix up the signature. This mailing list does not play nice with PGP/MIME, the last time I checked. (For a long time Enigmail's list didn't, either, but that problem has since been fixed.) In general, PGP/MIME with GNU Mailman is always a roll of the dice. begin speaking-for-Enigmail And yes, Mika is right: that's why Enigmail recommends inline OpenPGP. We've all seen PGP/MIME break in too many different contexts. For instance, I've seen MTAs that strip off attachments, inspect the attachments for malware, then re-attach them but with very slight differences that break PGP/MIME. I've seen MUAs that can't understand it, mailing list software that breaks it, and so on. PGP/MIME is a superior technical standard, but it's quite fragile. We believe PGP/MIME is the clear choice *if possible*, but given how often it's not possible we recommend inline OpenPGP by default. end speaking-for-Enigmail (This message is PGP/MIME signed. I know my system works correctly with PGP/MIME and that neither my MUA nor MTA mangle it. If it's not coming through, the most likely culprit is the list's GNU Mailman installation.) ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users signature.asc Description: Message signed with OpenPGP using GPGMail ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: ideal.dll // fixing thread breaking
Oh dear. I found it. The bug has been reported 2003: https://bugs.launchpad.net/mailman/+bug/265961 I wish I had better coding skills, but I don't. Sorry I can't code the fix... signature.asc Description: Message signed with OpenPGP using GPGMail ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: ideal.dll // fixing thread breaking
On Fri, 29 Jun 2012 18:00:03 +0200 Steve st...@gpgtools.org wrote: Hello Steve, not meaning to spark up new discussions about this issue (we've had that before). But I really think, the energy invested in this It was not my intention to open old wounds as it were. I was curious about Mika's statement, which made no sense to me. Robert's explained things. Curiosity satisfied. discussion would be better invested in writing mailman tweaks. Would that I could. I had trouble with Hello World. In BASIC. :-( -- Regards _ / ) The blindingly obvious is / _)radnever immediately apparent Watching the people get lairy I Predict A Riot - Kaiser Chiefs signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: ideal.dll // fixing thread breaking
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 29.06.2012 15:06, Brad Rogers kirjoitti: Headers are outside what is signed, surely? Changing, adding or removing headers should have no bearing on the validity of PGP signatures. If header changes were involved, nothing would be verifiable, because every mail server an email passes through adds at least on more piece of info to those headers. Ask Enigmail developers, they are giving me this explaining. TBH, I'd have thought the issues you're experiencing are more likely to be caused by Hotmail. I am using GMail as headers probably say if you look at them. PS. Could you install and setup Enigmail and try to verify PGP/MIME by yourself? - -- [Mika Suomalainen](https://mkaysi.github.com/) || NOTICE! I am on mobile broadband with very limited time, so I cannot read emails very much. The best time to contact me is probably weekends when I have better connectivity with good luck. [gpg --keyserver pool.sks-keyservers.net --recv-keys 4DB53CFE82A46728](http://mkaysi.github.com/PGP/key.txt) || [Why do I sign my emails?](http://mkaysi.github.com/PGP/WhyDoISignEmails.html) || [Do you have problems verifying my PGP/MIME signature on mailing list?](http://mkaysi.github.com/PGP/PGP-MIME.html) || [Please don't send HTML.](http://mkaysi.github.com/articles/complaining/HTML.html) || [This signature](https://gist.github.com/2643070#file_icedove.md) [Please reply below this line](http://mkaysi.github.com/articles/complaining/topposting.html) -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.19 (GNU/Linux) Comment: Homepage: http://mkaysi.github.com/ Comment: gpg --keyserver pool.sks-keyservers.net --recv-keys 82A46728 Comment: Public key: http://mkaysi.github.com/PGP/key.txt Comment: Fingerprint = 24BC 1573 B8EE D666 D10A AA65 4DB5 3CFE 82A4 6728 Comment: See my Icedove / Thunderbird guide here http://git.io/YUDk8g Comment: See my GPG guide here http://git.io/5KWssQ Comment: See my Enigmail guide here http://git.io/bXla3g Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJP7dGvAAoJEE21PP6CpGcofCYP/2mR8/owjJcKAgqRdLaFvwqg V1i3lFqtJn3WUpvp2J5iLll3aWkl9B0AuchE3hn7Z3qgweDLtNQDIRNBK47UgVP+ TlAV0NnuYfsAU2ep6rDyFOwOFe/uJWqOQTOXi1LlT3f89kh8HOXyB/JAMkAOi509 ceMPPZAUs4szIftPmGJDJitQAIGHK+6GdVZfK5KfGJ222D1gx9Cw6572pGmWCoYa 63yWui8RmTGyTasDJyU+GmMA95KeG4AQmd1PK8Zsa9/PS+vMZew+/bQgrpQKI0RD wls7Q/+LDB7gFS8RVdwIy0PYb0UbOlOPrdd32O41YYFtwU0btXzQljxr8nL2+6C3 7Zi/H0Mwz1lS7LweywuIfQIZcnkB6xe7DjNWMillmn58vQIcA7DBAbbU1FZeLhnf 9XOYVgSjfMif5KRZLJaBPnUYNaHIFLjiTeY+Vvwo/d5J+PEPsJ9T63+0XXJ43WIf ANzwKWB6fSItW4OxaKt9kG8nFRtQdhyJwKfiAarYum9El4iaM3h+OglaT2zXP4J6 CGPkGjCyYCImTIxACehUJf2BwK2sABpNoAhPpwOl6QSFZFPHMdkKpjaqIduzimEJ GkRSlklqm9+6nyJdRrtG76Tjj5oBAEF3d8mlifISMQ+0h1rffHpUSYiMC9ypzXAp xi/ZjgDo2Yd1CZnix+Dl =3j4k -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: ideal.dll // fixing thread breaking
On 06/29/2012 12:00 PM, Steve wrote: not meaning to spark up new discussions about this issue (we've had that before). But I really think, the energy invested in this discussion would be better invested in writing mailman tweaks. In the language of software engineering, this has moved from a defect to fix to a lifecycle issue. Defect is the stage where a bug is reported: fix is the stage where the fix is available: lifecycle is the often years-long process of getting the fix out to people who need it. If I understand things correctly (and I may not be), Werner does not host gnupg.org himself. He rents a box in a colo facility for that, and he's more or less stuck with whatever versions of software the provider offers. The provider hasn't offered an updated GNU Mailman, so GnuPG-Users has this unfortunate situation where PGP/MIME doesn't reliably work on it. For what it's worth, my message left here as a correctly-signed PGP/MIME message. I received it back from the list as just 'signature.asc'. A (partial) diff of the two emails reveals: This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --===1821215289== 12,13c61,62 protocol=application/pgp-signature; boundary=enigBE03611A84F54D493777EBD6 --- protocol=application/pgp-signature; boundary=enigBE03611A84F54D493777EBD6 71a121,135 --===1821215289== Content-Type: text/plain; charset=us-ascii MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users That should hopefully make it clear exactly what the problem is. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: ideal.dll // fixing thread breaking
On 06/29/2012 12:26 PM, Brad Rogers wrote: Seems okay here; Most messages check out, be they inline or MIME signed. IMO, if your client is showing correct PGP/MIME signatures on this list, you should file a defect report about your client. The message has been changed in transit and is no longer in the exact same state as it was when the sender issued it. The change may be trivial, but it's still a change, and IMO it is not the job of the MUA to try and fix the botchery inflicted by GNU Mailman. The correct thing to do, IMO, is to report to the user the true state of affairs: the signature is not correct and the message appears to have been altered in transit. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: ideal.dll // fixing thread breaking
On Fri, 29 Jun 2012 19:02:57 +0300 Mika Suomalainen mika.henrik.mai...@hotmail.com wrote: Hello Mika, I am using GMail as headers probably say if you look at them. The form address is hotmail. Message ID is hotmail, too. gmail *is* mentioned, but not in any of the transport headers. Anyhow, Robert has explained where and how the breakage occurs. PS. Could you install and setup Enigmail and try to verify PGP/MIME by yourself? Short answer; No. Longer answer; I'm not inclined to install another MUA (Thunderbird), set it up for use, install enigmail and set that up, just to test for this breakage. -- Regards _ / ) The blindingly obvious is / _)radnever immediately apparent You're only 29 got a lot to learn Seventeen - Sex Pistols signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: ideal.dll // fixing thread breaking
On Fri, 29 Jun 2012 11:48:28 -0400 Robert J. Hansen r...@sixdemonbag.org wrote: Hello Robert, Mika is more or less right, except it isn't headers -- it's the PGP/MIME attachment separator. Mailman makes a very slight tweak and that's That makes more sense. I thought I must have been going mad. :-) This mailing list does not play nice with PGP/MIME, the last time I checked. (For a long time Enigmail's list didn't, either, but that Seems okay here; Most messages check out, be they inline or MIME signed. As I said before (IIRC) it's something else that borks the PGP sig. Thanks for the explanations, Robert. -- Regards _ / ) The blindingly obvious is / _)radnever immediately apparent I must be hallucinating, watching angels celebrating There Must Be An Angel (Playing With My Heart) - Eurythmics signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: ideal.dll // fixing thread breaking
On 06/29/2012 12:02 PM, Steve wrote: Oh dear. I found it. The bug has been reported 2003: https://bugs.launchpad.net/mailman/+bug/265961 That bug turned out to be in Enigmail, not Mailman. Mailman was repackaging the attachment in a way that was technically valid but which Enigmail wasn't expecting. Patrick fixed that bug about a decade ago: I think the fix predates the 0.9 release. There was a different PGP/MIME bug that Daniel Kahn Gillmor [1] reported to Mailman a while ago, and discovered it had been fixed and was now a lifecycle issue. The bug affecting GnuPG-Users may either of those two older ones, or something completely new -- I've barely looked into it at all. [1] Daniel, if I'm misspelling your last name please accept my apologies. I seem to never remember the correct spelling, and I assume you like seeing your name misspelled about as much as I like being called Rob Hanson. :) ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: ideal.dll // fixing thread breaking
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 27.06.2012 18:33, Peter Lebbing wrote: For future reference, that URL is in the headers of every mail you get from the list, btw. I think that it's not on those, which are PGP/MIME signed. - -- [Mika Suomalainen](https://mkaysi.github.com/) || NOTICE! I am on mobile broadband with very limited time, so I cannot read emails very much. The best time to contact me is probably weekends when I have better connectivity with good luck. [gpg --keyserver pool.sks-keyservers.net --recv-keys 4DB53CFE82A46728](http://mkaysi.github.com/PGP/key.txt) || [Why do I sign my emails?](http://mkaysi.github.com/PGP/WhyDoISignEmails.html) || [Do you have problems verifying my PGP/MIME signature on mailing list?](http://mkaysi.github.com/PGP/PGP-MIME.html) || [Please don't send HTML.](http://mkaysi.github.com/articles/complaining/HTML.html) || [This signature](https://gist.github.com/2643070#file_icedove.md) [Please reply below this line](http://mkaysi.github.com/articles/complaining/topposting.html) -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.19 (GNU/Linux) Comment: Homepage: http://mkaysi.github.com/ Comment: gpg --keyserver pool.sks-keyservers.net --recv-keys 82A46728 Comment: Public key: http://mkaysi.github.com/PGP/key.txt Comment: Fingerprint = 24BC 1573 B8EE D666 D10A AA65 4DB5 3CFE 82A4 6728 Comment: See my Icedove / Thunderbird guide here http://git.io/YUDk8g Comment: See my GPG guide here http://git.io/5KWssQ Comment: See my Enigmail guide here http://git.io/bXla3g Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJP7DSOAAoJEE21PP6CpGcoj0wQAJ7jhKESXtXSXDayKRdqwDrK qTzIsjNm4SyQZ6+AHOO0i+oCi/Qc3sk5bWzj0jXby93pK65Y+eWswjdoNw3Dd1K2 dEaH5WEGUzJpeizzPwZCXlT5NXI7ISNIcKTWYaapgPMh3u8txPy3/y3Qr82vrgwY MkBj08Y01NTtz6ZFnt4TOACzNFeTIlKMyd3sID0i9w2QhAkfOvubFN32Kiip78ep JjQ8GMA2KdGyUO1+RXWv718x1VjGEOSudZF8MRGj8UO+vP5ny+ElH8r9EjYtcBQT cCOhDq97ZkRgYs6Qkn3bAXafiwDwy1e9qB/bHQj0OMp60dSI5tcHeTNAsO/4HTXq 9HBdpaYG/wUS74GMNuNsKRcvHytdBz3KKZpA0agWDY6ZCjL3/1uamlqxv+XMDktU cxOIzkH5MmNfXa5kJcZkKxsTYiSk2pOG9+bViiqyIwzubxRG/6MgHqEpyzXwybAu 3Bz+A+sBbmsq00IBUhqrnrV2AE0bFBHrTFSzArowUCMHx5cZ8ROO8+lIBN9AyQx4 Mw2dCqbl9oYSvsUo7VQ6LXUD1+327FKVTg4P4yNAt9i42PeAkNemyTct6C+xXX16 vH5NCTonaU9CY99SSaPRo6UbDPrVqspuyBrEui9ps9Y7R8laNxbf2cYFha97LAwl 7Xg2cIovqcG1gQNyKZcG =oLUB -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: ideal.dll // fixing thread breaking
On 28/06/12 12:40, Mika Suomalainen wrote: I think that it's not on those, which are PGP/MIME signed. The PGP/MIME signed mail by Brad Rogers in this very thread does include the headers: [...] Date: Wed, 27 Jun 2012 16:14:46 +0100 From: Brad Rogers b...@fineby.me.uk To: gnupg-users@gnupg.org Subject: Re: ideal.dll // fixing thread breaking Message-ID: 20120627161446.058c6...@abydos.stargate.org.uk In-Reply-To: 20120627143030.99d05e6...@smtp.hushmail.com References: 20120627143030.99d05e6...@smtp.hushmail.com [...] List-Id: Help and discussion among users of GnuPG gnupg-users.gnupg.org List-Unsubscribe: http://lists.gnupg.org/mailman/options/gnupg-users, mailto:gnupg-users-requ...@gnupg.org?subject=unsubscribe List-Archive: /pipermail List-Post: mailto:gnupg-users@gnupg.org List-Help: mailto:gnupg-users-requ...@gnupg.org?subject=help List-Subscribe: http://lists.gnupg.org/mailman/listinfo/gnupg-users, mailto:gnupg-users-requ...@gnupg.org?subject=subscribe Content-Type: multipart/mixed; boundary0701166120== Sender: gnupg-users-boun...@gnupg.org Errors-To: gnupg-users-boun...@gnupg.org --===0701166120== Content-Type: multipart/signed; micalg=PGP-SHA256; boundary=Sig_/4hiLgDJgDUgTfM4CV5h8JMn; protocol=application/pgp-signature Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at http://wwwhome.cs.utwente.nl/~lebbing/pubkey.txt ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: ideal.dll // fixing thread breaking
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 28.06.2012 14:52, Peter Lebbing wrote: On 28/06/12 12:40, Mika Suomalainen wrote: I think that it's not on those, which are PGP/MIME signed. The PGP/MIME signed mail by Brad Rogers in this very thread does include the headers: [...] Date: Wed, 27 Jun 2012 16:14:46 +0100 From: Brad Rogers b...@fineby.me.uk To: gnupg-users@gnupg.org Subject: Re: ideal.dll // fixing thread breaking Message-ID: 20120627161446.058c6...@abydos.stargate.org.uk In-Reply-To: 20120627143030.99d05e6...@smtp.hushmail.com References: 20120627143030.99d05e6...@smtp.hushmail.com [...] List-Id: Help and discussion among users of GnuPG gnupg-users.gnupg.org List-Unsubscribe: http://lists.gnupg.org/mailman/options/gnupg-users, mailto:gnupg-users-requ...@gnupg.org?subject=unsubscribe List-Archive: /pipermail List-Post: mailto:gnupg-users@gnupg.org List-Help: mailto:gnupg-users-requ...@gnupg.org?subject=help List-Subscribe: http://lists.gnupg.org/mailman/listinfo/gnupg-users, mailto:gnupg-users-requ...@gnupg.org?subject=subscribe Content-Type: multipart/mixed; boundary0701166120== Sender: gnupg-users-boun...@gnupg.org Errors-To: gnupg-users-boun...@gnupg.org --===0701166120== Content-Type: multipart/signed; micalg=PGP-SHA256; boundary=Sig_/4hiLgDJgDUgTfM4CV5h8JMn; protocol=application/pgp-signature Were you able to verify that signature? - -- [Mika Suomalainen](https://mkaysi.github.com/) || NOTICE! I am on mobile broadband with very limited time, so I cannot read emails very much. The best time to contact me is probably weekends when I have better connectivity with good luck. [gpg --keyserver pool.sks-keyservers.net --recv-keys 4DB53CFE82A46728](http://mkaysi.github.com/PGP/key.txt) || [Why do I sign my emails?](http://mkaysi.github.com/PGP/WhyDoISignEmails.html) || [Do you have problems verifying my PGP/MIME signature on mailing list?](http://mkaysi.github.com/PGP/PGP-MIME.html) || [Please don't send HTML.](http://mkaysi.github.com/articles/complaining/HTML.html) || [This signature](https://gist.github.com/2643070#file_icedove.md) [Please reply below this line](http://mkaysi.github.com/articles/complaining/topposting.html) -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.19 (GNU/Linux) Comment: Homepage: http://mkaysi.github.com/ Comment: gpg --keyserver pool.sks-keyservers.net --recv-keys 82A46728 Comment: Public key: http://mkaysi.github.com/PGP/key.txt Comment: Fingerprint = 24BC 1573 B8EE D666 D10A AA65 4DB5 3CFE 82A4 6728 Comment: See my Icedove / Thunderbird guide here http://git.io/YUDk8g Comment: See my GPG guide here http://git.io/5KWssQ Comment: See my Enigmail guide here http://git.io/bXla3g Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJP7HcsAAoJEE21PP6CpGcoikMP/0WRk81ygqvHlvqetvLkLg+T JmvXH6ZeHTkZtpGEWpnXRDo27zsPTChgT5LWXZbmK3+4Cu64MvGnls0HD21Xdnc+ X9MsUOW5cNkMShMVaZY//IPbA9mmiVgfxKhPUmUk3HvLeVkgiDLfHP74+biybEWa NuyRRsP0I5HR6A6r9KX+Ob9YaGygE1rRkqXYPIK+2goO8epPGu6knzqqU6oA/c6Z dlBy4bvzCqJzhmQQlxONf3wKY96WDwjQUluohzNDFi3nagNs7sN4D4XNgEayEOsA T73+JjKztnbu6CqFtgrs1dkVciZxN+yxhO7BsSCEPdeFikHim4jCes8sA+GBmQqK 5HRT9eZKT1etwq12fqLgrMuzKHw7XwlO+9tRiD9rmc6jG0ow1jQHCsV4JbS6RpdE tDHS2JcPBFakijqbcZWYuPD0gAYIxayUfcYZzbBJdwyR1lQ/DLV95FefWX+rmarC /UWz20JONXfCJS/798iBSoXbgqd6UK+e+0UuXSC+/MMLbcz5BbQUNzjhrkhJRAJ+ BjGN1bl/tVlYodOkwLSxKW/ZZA2JMz/A8e0mKF5rmCsyrZ+Upraz5wDq9MDwAMOd OG49lSqyGPvRUPtSlKVoC5CKtPj3p5v/CoeILmF4Smf1yC4wbcuZzlRjrivslM9a fMgs/sRhTZH/vvz5QYbG =JS1W -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: ideal.dll // fixing thread breaking
On Thu, 28 Jun 2012 18:24:32 +0300 Mika Suomalainen mika.henrik.mai...@hotmail.com wrote: Hello Mika, Were you able to verify that signature? Several people use PGP/MIME, all of which verify here, and include the list headers you seem to be saying get removed. Not only on this list, but many other lists, too. I have seen weirdness with *footers* and PGP signed messages, but that is with footers not being displayed, rather than being removed. Checking message source shows that they are still there. -- Regards _ / ) The blindingly obvious is / _)radnever immediately apparent Does she always shout at you, does she tell you what to do Family Life - Sham 69 signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: ideal.dll // fixing thread breaking
On 28/06/12 17:24, Mika Suomalainen wrote: Were you able to verify that signature? I don't believe my Enigmail is willing to check any PGP/MIME signatures for me... must be something broken with the installation. I don't really pay attention to signatures on this mailing list, and this is the only place I come across PGP/MIME. Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at http://wwwhome.cs.utwente.nl/~lebbing/pubkey.txt ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: ideal.dll
On Mon, Jun 25, 2012 at 08:44:11PM +0200, Werner Koch wrote: On Mon, 25 Jun 2012 20:12, aaron.topo...@gmail.com said: So, if the system can be improved by removing support for PGP2, which includes cleaning up code, squashing bugs, and tightening security, then why is it still around? 20 years later? BTW, removing the v3 support will not make the code magically less complex. Removing mature code may actually introduce more bugs than keeping it. Thus, the reason I began with 'if'. :) -- . o . o . o . . o o . . . o . . . o . o o o . o . o o . . o o o o . o . . o o o o . o o o pgpeCt33quAzm.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: ideal.dll // fixing thread breaking
On Wed, 27 Jun 2012 09:33:38 -0400 Aaron Toponce aaron.topo...@gmail.com wrote: On Mon, Jun 25, 2012 at 08:44:11PM +0200, Werner Koch wrote: On Mon, 25 Jun 2012 20:12, aaron.topo...@gmail.com said: So, if Thus, the reason I began with 'if'. :) Am using Hushmail (have been using it since it came out) and am replying to the above gnupg message to try to see how to fix the 'thread-breaking' problem. I get the gnupg as a 'digest', and as an individual e-mail when the poster cc's me. This post is currently a reply to the original poster and cc'd to the list. I hope it does * not* break the thread, but am afraid it probably will. The only fix I can think of, is to get the gnupg posts as individual e-mails, not as a digest, and reply to them. If anyone has an idea of how to fix it, am willing to try. btw, how do I change from 'digest-mode' to 'individual-list mode'? does it require unsubscribing and re-subscribing, or is there an easier way? Thanks, vedaal ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: ideal.dll // fixing thread breaking
On Wed, 27 Jun 2012 10:30:30 -0400 ved...@nym.hush.com wrote: Hello ved...@nym.hush.com, Unfortunately, as you suspected, the message I'm replying to did break threading. It's Hushmail that's at fault, I believe. does it require unsubscribing and re-subscribing, or is there an easier way? Sadly, with mailman, unsubbing and resubbing is the only way for a regular user to change their subscription format. -- Regards _ / ) The blindingly obvious is / _)radnever immediately apparent Go away, come back, go away, come back Leave Me Alone (I'm Lonely) - P!nk signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: ideal.dll // fixing thread breaking
On 27/06/12 16:30, ved...@nym.hush.com wrote: btw, how do I change from 'digest-mode' to 'individual-list mode'? Go to http://lists.gnupg.org/mailman/options/gnupg-users, enter your e-mail address and password you subscribed with, and you get an interface where you can change such settings. For future reference, that URL is in the headers of every mail you get from the list, btw. HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at http://wwwhome.cs.utwente.nl/~lebbing/pubkey.txt ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: ideal.dll // fixing thread breaking
On 27/06/12 17:14, Brad Rogers wrote: Sadly, with mailman, unsubbing and resubbing is the only way for a regular user to change their subscription format. Having switched from digest to individual message mode myself about a year ago, I can tell you you are mistaken. I did it succesfully in the options web interface as described in my other mail. Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at http://wwwhome.cs.utwente.nl/~lebbing/pubkey.txt ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: ideal.dll // fixing thread breaking
On Wed, 27 Jun 2012 11:34:02 -0400 Peter Lebbing pe...@digitalbrains.com wrote: and you get an interface where you can change such settings. ok changed to individual digest mode, and replying directly (hushmail default of 'reply' is to individual user and cc to list) hope it works, if not, any other suggestions to try in hushmail? TIA vedaal ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: ideal.dll // fixing thread breaking
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 ved...@nym.hush.com wrote: ok changed to individual digest mode, and replying directly (hushmail default of 'reply' is to individual user and cc to list) hope it works, if not, any other suggestions to try in hushmail? TIA vedaal I just set up a free hushmail account, using the web interface you don't get an In-Reply-To field in the header. I couldn't find any settings which would enable this. So, if you're using a free hushmail account then I guess you're going to continue breaking threads. If you're a premium user then you can use pop and/or imap and a different mail client. - -- Andy Ruddock - andy.rudd...@rainydayz.org (GPG Key ID 0xB0324245) -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.14 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBCgAGBQJP6zq4AAoJECqtbbewMkJFTBYP/j1PuZPmanl4a3JwYFqsfoMz glaFefOykEaeIGafaEd8ZiYbDJvULST3HkqLG/Odxl9yhFiBwC+wruAu8bmPs2qp 6wooXyfmeTzns3CENyl07+3jwmBobTGfeG+Ast4FxOXjEWfrCliBtIDTJsnH/17Z Hu95hQxQjLDEh14YxqapezW5Ve3q37B8vL/mSgoPr9B3sf16YLGcpz5jcebwFtvv Uyxw4HVILtfABd0tLWpCG6DKeyXZHcaL3Qg4PqhR6sObR8ycxVxy6eNFDVd5GeI1 aOJu81tMKSNXMehrh4xodG/WIZgMSUGw/Ho+mTTm5psw5aG2PM3j0qoPgbJVqsf9 xH4OE1Z2RJjMGXNRrVHhH2f8B2eXObPfHYYB4BmDhXSg+y22lSgjJfKT3q7Hpjaz loiNMUorN+OXXxomNFbGbkR0WJT5/apePKkPwSGRI9OxCFKE23xi4X34pWfjB8fY cFKksUcdtbYorXS33/M1o5+fEP0Zxo1e8Ugi1uTu6kRNKkFTZtqP/rzJR1z1RdPe pkYxG4Jl/ehe+5L7qCsnprIEaWOhWg2gGF3ujK30XVAEEbBe0EbWcvP2Zr+5bG2c vFdx4tDyV7iQpfCrmhvjbomQKF5JsCmyc4cALnBoDRyyWkypZrdhsN2J7tgQmv2N VeEmO6NVMk11+cUWBJeT =c2Cy -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: ideal.dll // fixing thread breaking (Andy Ruddock)
Date: Wed, 27 Jun 2012 17:54:16 +0100 From: Andy Ruddock andy.rudd...@rainydayz.org I just set up a free hushmail account, using the web interface you don't get an In-Reply-To field in the header. I couldn't find any settings which would enable this. So, if you're using a free hushmail account then I guess you're going to continue breaking threads. If you're a premium user then you can use pop and/or imap and a different mail client. am a premium user (btw, free hushmail has very little space, and doesn't allow for nym's, so any hush user whose e-mail address ends in 'nym.hush.com' is a premium user) Usually access gnupg during downtime at work, and cannot use a 'nym' on my work-based e-mail clients. Will think about setting up a 'non-thread breaker' thunderbird arrangement on my laptop, and send messages from there Thanks vedaal ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: ideal.dll
On 25-06-2012 0:11, Werner Koch wrote: A few years later it was obvious that MD5 is broken in practice. I can't understand anyone suggesting to use PGP2. I have heard of people keep on using and suggesting =4k keys but still being bounded to the broken MD5 and the flawed PGP public key packet and protection. This is plain stupid. That depends on your threat model. If signing messages is not so important to you but encrypting is, this advice is understandable. So let MD5 be broken, it matters not for encryption. Not that I would suggest to start using pgp 2 now, but I have no issues using my old pgp 2 key with GnuPG. The RNG in PGP2 is also questionable because it has not been designed to cope with modern OSes. Did anyone study the effect this has in using pgp 2 on modern Linux of windows systems? I have the impression that very serious bugs, like the one in the RNG for pgp 5 for Unix, will eventually surface anyway. Now some claim that PGP 2 is better because it is so easy to audit the code. Okay, that might be the case for the PGP 2 source. However, who is going to audit the libc, WM (note keyboard interrupts!), kernel, msvc, gcc or hypervisor code. That is far more complex than PGP 2. If I had to write malware I would never directly attack PGP or GPG but go for other components (D-Bus services anyone?). Subvert the most invisible part of the system and not what script kiddies will do. This suggests a threat model where your oponent has almost Stuxnet like capabilities. Since the pgp 2 days we get warnings about adapted compilers, but I've never seen something like that surfacing. I'm not saying it is impossible but I doubt it is practically doable on a large scale. -- ir. J.C.A. Wevers PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: ideal.dll
On Mon, 25 Jun 2012 16:18, joh...@vulcan.xs4all.nl said: That depends on your threat model. If signing messages is not so important to you but encrypting is, this advice is understandable. So let MD5 be broken, it matters not for encryption. Not that I would Sure it matters. The self-signatures are bound using MD5 based signatures and thus the user id and the web of trust signatures are prone to MD5 attacks. Did anyone study the effect this has in using pgp 2 on modern Linux of I don't care about PGP2 nor do the majority of crypto users. The RNG from PGP2 is usually used as an early example on the design of a RNG. This suggests a threat model where your oponent has almost Stuxnet like capabilities. Since the pgp 2 days we get warnings about adapted You seem to have that threat model: You created a 2k RSA key back in 2000. Even today it is not possible for any public institution to break a 1024 bit key. Thus why are you still advocationg MD5? compilers, but I've never seen something like that surfacing. I'm not saying it is impossible but I doubt it is practically doable on a large The business is that it shall not be visible on the surface. Kernel based key loggers are a standard feature of most trojans. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: ideal.dll
On 06/25/2012 10:18 AM, Johan Wevers wrote: That depends on your threat model. If signing messages is not so important to you but encrypting is, this advice is understandable. So let MD5 be broken, it matters not for encryption. If MD5 signatures can be forged (and news reports strongly indicate they can be), that means the self-signature on certificates is now susceptible to forgery. This suggests a threat model where your opponent has almost Stuxnet like capabilities. It may make sense to talk about specific things we've discovered about those two pieces of work (Flame being the other), but let's be careful using them as adjectives. We genuinely don't know enough about them: it will take the public antivirus community years to discover exactly what and how they do what they do. Since the pgp 2 days we get warnings about adapted compilers, but I've never seen something like that surfacing. Lieutenant, when you see Indians, be careful. When you don't see Indians, be more careful. -- _Ride Ranger Ride_, a 1936 Gene Autry film Competent malware hides better than Lamont Cranston. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: ideal.dll
Robert J. Hansen wrote: On 06/24/2012 06:11 PM, Werner Koch wrote: I am telling for more than a decade that PGP 2 should not be used anymore. The list may find my own timeline of MD5 to be worth reading -- it might give some insight into why PGP 2 (in particular the MD5 vulnerabilities) tend to engender such passionate responses. = 1993: Bosselaers and Den Boer present a theoretical break on MD5. 1996: Hans Dobbertin breaks MD5. His results are immediately dismissed as theoretical when they are nothing but. The security of a Merkle-Damgard hash (such as MD5) cannot be greater than the collision resistance of its compression function. Dobbertin is able to break MD5's compression function in *seconds* on desktop hardware. The MD5 death clock begins ticking down: we know (thanks to Dobbertin) that collisions can be generated against the full MD5 in seconds, but we don't yet know how. 1997: As an undergraduate, I read Dobbertin's paper and get shocked. I start advocating migration to SHA-1 and/or RIPEMD160. Nobody listens to me, and maybe rightfully so: after all, I'm just an undergrad. That said, I'm in good company: lots of other very serious cryppies are advocating the same. 1998: Internal debates begin at PGP Security over whether MD5 should be considered deprecated (technically valid, but advised against) or obsolete (no longer valid). (This is according to Len Sassaman.) 2001: People are still using MD5 in applications that need a collision-resistant hash function. I begin to get irritated: we've had five years to do migrations. Some important people within the community at that time (e.g., Imad Faiad) proclaim that MD5 is still secure and the vulnerabilities against it are still only theoretical and may never come to pass. I begin to tell people that if we don't see real MD5 collisions within five years to never again believe anything I say. 2002: I enter graduate school for computer science and begin working in electronic voting. I see systems being developed at that time which rely on the collision-resistance of MD5. I begin to get unhinged. In order to prove the ineffectiveness of MD5, I begin to work on MD5 collisions for my Master's thesis. 2004: Shengdong University publishes the first MD5 collisions. I have a very long and dejected talk with my advisor about my degree plans. I take a Master's without thesis, but I tell my advisor I'm looking on the bright side: no one can claim MD5 is still safe, right? 2004: People continue to say MD5 is still safe, claiming that the Shengdong University attacks are impractical -- they can only produce collisions in random data, which means you can't forge a particular signature on particular data. 2005: At Black Hat, Dan Kaminsky starts off with the EFF's website and the NSA's website. Dan is able to, in realtime, tweak the EFF's website with nondisplaying characters in order to make it look unchanged from the original but have the same MD5 hash as the NSA's website. I was there in the audience and my jaw was on the floor. 2005: People continue to say MD5 is still safe, claiming that... oh, God, I lose track at this point, honestly. At this point my brain shuts down and I begin to believe anyone advocating MD5 where collision resistance is necessary is living in resolute denial of the facts. 2008: The first public disclosure of a forged MD5-based SSL certificate. 2008: US-CERT issues a Vulnerability Notice which says in plain language, Software developers, Certification Authorities, website owners and users should avoid using the MD5 algorithm in any capacity. (Ref: http://www.kb.cert.org/vuls/id/836068 ) 2012: News reports circulate that the Flame virus propagated by forging an MD5-based Microsoft signature. 2012: On this mailing list, 16 years after experts recommended migrating away from MD5 and four years after US-CERT categorically declared MD5 to be a do not use algorithm, we're having a discussion about PGP 2.6, which is deeply married to MD5. After reviewing the past 19 years of results on MD5 and the community's reaction to them, all I can say is ... nothing, really. I used to be able to get a lot of outrage summoned up over this subject, but now I've been reduced to making faint whimpering noises. A new scientific truth does not triumph by convincing opponents and making them see the light, but rather because its opponents eventually die, and a new generation grows up that is familiar with it. -- Max Planck -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key:3EDBB65E 9A2FC99A Registered Machine
Re: ideal.dll
On Mon, Jun 25, 2012 at 12:11:57AM +0200, Werner Koch wrote: I am telling for more than a decade that PGP 2 should not be used anymore. The rationale for this was that OpenPGP is a standard and fixes great many problems of PGP 2. GnuPG supports PGP 2 only because this provides a way to migrate away from PGP 2. But: We are now in 2012 - 20 years after PGP 2. So, if the system can be improved by removing support for PGP2, which includes cleaning up code, squashing bugs, and tightening security, then why is it still around? 20 years later? -- . o . o . o . . o o . . . o . . . o . o o o . o . o o . . o o o o . o . . o o o o . o o o pgpXLmXd5KptX.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: ideal.dll
On Mon, 25 Jun 2012 20:12, aaron.topo...@gmail.com said: So, if the system can be improved by removing support for PGP2, which includes cleaning up code, squashing bugs, and tightening security, then why is it still around? 20 years later? Because you still want to be able to decrypt your 20 year old files. Meanwhile this is even legally possible due to the expiration of the IDEA patent. We probably need to keep this kind of support for all time. Keeping the ability to encrypt using v3 keys will likely be removed in one of the next GnuPG versions. I don't have an answer to your actual question. The reason might be that there are a few load voices who tell everyone that they need IDEA and v3 keys to save the world. I don't understand it. However, it is often easier to allow people to shoot into their feet than spending a lot of time with fruitless discussions. BTW, removing the v3 support will not make the code magically less complex. Removing mature code may actually introduce more bugs than keeping it. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: ideal.dll
On Fri, 22 Jun 2012 20:52, ved...@nym.hush.com said: Am somewhat surprised by the unprovoked V3 rants, when I asked for nothing from anyone, and only thanked WK for allowing it to happen. I am telling for more than a decade that PGP 2 should not be used anymore. The rationale for this was that OpenPGP is a standard and fixes great many problems of PGP 2. GnuPG supports PGP 2 only because this provides a way to migrate away from PGP 2. But: We are now in 2012 - 20 years after PGP 2. A few years later it was obvious that MD5 is broken in practice. I can't understand anyone suggesting to use PGP2. I have heard of people keep on using and suggesting =4k keys but still being bounded to the broken MD5 and the flawed PGP public key packet and protection. This is plain stupid. The RNG in PGP2 is also questionable because it has not been designed to cope with modern OSes. Mouse and keyboard interrupts are not anymore a good source of entropy - they are not traight hardware interrupts as they used to be on MSDOS or early BSDs. Now some claim that PGP 2 is better because it is so easy to audit the code. Okay, that might be the case for the PGP 2 source. However, who is going to audit the libc, WM (note keyboard interrupts!), kernel, msvc, gcc or hypervisor code. That is far more complex than PGP 2. If I had to write malware I would never directly attack PGP or GPG but go for other components (D-Bus services anyone?). Subvert the most invisible part of the system and not what script kiddies will do. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: ideal.dll
On 06/24/2012 06:11 PM, Werner Koch wrote: I am telling for more than a decade that PGP 2 should not be used anymore. The list may find my own timeline of MD5 to be worth reading -- it might give some insight into why PGP 2 (in particular the MD5 vulnerabilities) tend to engender such passionate responses. = 1993: Bosselaers and Den Boer present a theoretical break on MD5. 1996: Hans Dobbertin breaks MD5. His results are immediately dismissed as theoretical when they are nothing but. The security of a Merkle-Damgard hash (such as MD5) cannot be greater than the collision resistance of its compression function. Dobbertin is able to break MD5's compression function in *seconds* on desktop hardware. The MD5 death clock begins ticking down: we know (thanks to Dobbertin) that collisions can be generated against the full MD5 in seconds, but we don't yet know how. 1997: As an undergraduate, I read Dobbertin's paper and get shocked. I start advocating migration to SHA-1 and/or RIPEMD160. Nobody listens to me, and maybe rightfully so: after all, I'm just an undergrad. That said, I'm in good company: lots of other very serious cryppies are advocating the same. 1998: Internal debates begin at PGP Security over whether MD5 should be considered deprecated (technically valid, but advised against) or obsolete (no longer valid). (This is according to Len Sassaman.) 2001: People are still using MD5 in applications that need a collision-resistant hash function. I begin to get irritated: we've had five years to do migrations. Some important people within the community at that time (e.g., Imad Faiad) proclaim that MD5 is still secure and the vulnerabilities against it are still only theoretical and may never come to pass. I begin to tell people that if we don't see real MD5 collisions within five years to never again believe anything I say. 2002: I enter graduate school for computer science and begin working in electronic voting. I see systems being developed at that time which rely on the collision-resistance of MD5. I begin to get unhinged. In order to prove the ineffectiveness of MD5, I begin to work on MD5 collisions for my Master's thesis. 2004: Shengdong University publishes the first MD5 collisions. I have a very long and dejected talk with my advisor about my degree plans. I take a Master's without thesis, but I tell my advisor I'm looking on the bright side: no one can claim MD5 is still safe, right? 2004: People continue to say MD5 is still safe, claiming that the Shengdong University attacks are impractical -- they can only produce collisions in random data, which means you can't forge a particular signature on particular data. 2005: At Black Hat, Dan Kaminsky starts off with the EFF's website and the NSA's website. Dan is able to, in realtime, tweak the EFF's website with nondisplaying characters in order to make it look unchanged from the original but have the same MD5 hash as the NSA's website. I was there in the audience and my jaw was on the floor. 2005: People continue to say MD5 is still safe, claiming that... oh, God, I lose track at this point, honestly. At this point my brain shuts down and I begin to believe anyone advocating MD5 where collision resistance is necessary is living in resolute denial of the facts. 2008: The first public disclosure of a forged MD5-based SSL certificate. 2008: US-CERT issues a Vulnerability Notice which says in plain language, Software developers, Certification Authorities, website owners and users should avoid using the MD5 algorithm in any capacity. (Ref: http://www.kb.cert.org/vuls/id/836068 ) 2012: News reports circulate that the Flame virus propagated by forging an MD5-based Microsoft signature. 2012: On this mailing list, 16 years after experts recommended migrating away from MD5 and four years after US-CERT categorically declared MD5 to be a do not use algorithm, we're having a discussion about PGP 2.6, which is deeply married to MD5. After reviewing the past 19 years of results on MD5 and the community's reaction to them, all I can say is ... nothing, really. I used to be able to get a lot of outrage summoned up over this subject, but now I've been reduced to making faint whimpering noises. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: ideal.dll
On 06/24/2012 09:05 PM, Robert J. Hansen wrote: 2005: At Black Hat, Dan Kaminsky starts off with the EFF's website and the NSA's website. Dan is able to, in realtime, tweak the EFF's website with nondisplaying characters in order to make it look unchanged from the original but have the same MD5 hash as the NSA's website. I was there in the audience and my jaw was on the floor. Forgot to footnote: the slides from this talk are available on the Web. http://www.blackhat.com/presentations/bh-jp-05/bh-jp-05-kaminsky/bh-jp-05-kaminsky.pdf ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
ideal.dll
Daniel Kahn Gillmor dkg at fifthhorseman.net wrote on Thu Jun 21 22:38:31 CEST 2012 : v3 keys have a serious vulnerability in that their fingerprint mechanism is trivially gamable, so long keyid collisions are easy. The 'serious vulnerability' you refer to, is trivially countered by simply listing the keysize together with the fingerprint. The 'long keyid collisions' (which consist of generating new keys over and over again, until getting one whose fingerprint matches the target figerprint, is only possible with today's resources, by *not constraining the size of the key* (e.g. the 'fake key' might have 2791 bits, and so, won't fool any of the remailer crowd that persists in using pgp 2.x.) If you have any evidence that such collisions are possible with the resultant keysize being the same as the target keysize, please post, thanks. You should retire your v3 key, as should anyone else with such a key. Please! Have made 'minimal' headway in trying to convince remailer people to use gnupg and give up v3 keys. Some remailers do use gnupg. Main user arguments in holding onto pgp 2.x, isn't some bizarre nostalgia, (they are willing to use Diastry's version which accepts all hashes gnupg accepts (not just md5) and , except for Camellia, all symmetric algorithms that gnupg accepts). ( I haven't used classic pgp2 since the first Disastry verion came out.) These are people who actually read each line of the source code of pgp2.x. I've asked in the past, if there could be a 'minimalist' gnupg version, (e.g., using only RSA, 3DES, SHA1, and SHA 256 and maybe only vintage necessary gnupg options) so that the source code is small enough that someone can read it from scratch in a reasonable amount of time (and not dependent on 'just keeping up with the 'diffs'.) It would still be compatible with current gnupg, which would, by default, honor the 3DES preferences in the 'minimalist' version. ( I wish I were fluent in C, and could write patches myself, and cannibalize the early versions of gnupg, and come up with a draft of code that just needs to be audited, fixed, and vetted, instead of begging for features, but I'm not anywhere near ready :-((( , so I understand the futility/arrogance of asking for so much work to be done, and for free, and am 'not pushing' it. ) In any event, I have other newer keys, and rarely use my v3 key except for people who insist on it. vedaal ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: ideal.dll
On Jun 22, 2012, at 10:21 AM, ved...@nym.hush.com wrote: Daniel Kahn Gillmor dkg at fifthhorseman.net wrote on Thu Jun 21 22:38:31 CEST 2012 : v3 keys have a serious vulnerability in that their fingerprint mechanism is trivially gamable, so long keyid collisions are easy. The 'serious vulnerability' you refer to, is trivially countered by simply listing the keysize together with the fingerprint. There is more than one attack against V3. There is the bit sliding attack, where you can forge the whole fingerprint, but as a side effect it changes the keysize, and there is the DEADBEEF attack where you can forge the key ID, but not the fingerprint. I believe Daniel is referring to DEADBEEF here. Using DEADBEEF, I can make a V3 key with a 64-bit key ID without affecting the keysize. It's an old attack, but is receiving more interest recently for some reason. If you have any evidence that such collisions are possible with the resultant keysize being the same as the target keysize, please post, thanks. I just sent you a private mail containing a key with your key ID ;) David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: ideal.dll
On Fri, Jun 22, 2012 at 10:21:35AM -0400, ved...@nym.hush.com wrote: vulnerability in that their fingerprint mechanism is trivially gamable, so long keyid collisions are easy. [snip] Please fix your mail client. It is breaking threads. Thanks, -- . o . o . o . . o o . . . o . . . o . o o o . o . o o . . o o o o . o . . o o o o . o o o pgp3tZjsBPsph.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: ideal.dll
On Fri, 22 Jun 2012 11:23:27 -0400 David Shaw ds...@jabberwocky.com wrote: There is more than one attack against V3. There is the bit sliding attack, where you can forge the whole fingerprint, but as a side effect it changes the keysize, and there is the DEADBEEF attack where you can forge the key ID, but not the fingerprint. I believe Daniel is referring to DEADBEEF here. Using DEADBEEF, I can make a V3 key with a 64-bit key ID without affecting the keysize. I just sent you a private mail containing a key with your key ID ;) Thanks, Cute ;-) but as I posted earlier, trivially countered by simply listing the keysize together with the fingerprint. vedaal ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: ideal.dll
On 6/22/2012 12:39 PM, ved...@nym.hush.com wrote: trivially countered by simply listing the keysize together with the fingerprint. This is, unfortunately, not a trivial fix. Already people don't pay attention to proper validation because the idea of checking the fingerprint is alien to them, they don't understand it, don't understand why it's necessary. Adding another step of verify the keysize, too will just compound the problem. If your solution takes the worst part of key validity checking and makes it even worse, then that's not a fix: that's an emergency stopgap measure while people move to a better cryptosystem, such as V4 keys. If you want to call it a stopgap, sure, I'll agree with you. But I can't agree that what you're calling a fix actually fixes anything. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: ideal.dll
On Fri, 22 Jun 2012 12:56:46 -0400 Robert J. Hansen r...@sixdemonbag.org wrote: On 6/22/2012 12:39 PM, ved...@nym.hush.com wrote: trivially countered by simply listing the keysize together with the fingerprint. This is, unfortunately, not a trivial fix. Already people don't pay attention to proper validation because the idea of checking the fingerprint is alien to them, they don't understand it, don't understand why it's necessary. Adding another step of verify the keysize, too will just compound the problem. I'm not now, (and have not been since the ADK v4 bug was fixed ;-) ), advocating that people should generate v3 keys as a choice. Anyone new to crypto, should definitely use only a v4 key. As you mentioned earlier, the v3 people have an entrenched user- base, and are hardly novices, and 'for them', listing the keysize with the fingerprint, really is trivial. (I never called it a 'fix'. It's an easily describable and do-able workaround for people who need their v3's for their preferred cryptosystem.) vedaal ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: ideal.dll
On 6/22/2012 1:44 PM, ved...@nym.hush.com wrote: As you mentioned earlier, the v3 people have an entrenched user- base, and are hardly novices, and 'for them', listing the keysize with the fingerprint, really is trivial. If people want to keep using PGP 2.6, let them, but I'm not going to help them do it. If people want an emergency stopgap while they migrate to OpenPGP, I'll happily help. Unfortunately, at this point essentially all the people who would migrate have already migrated. PGP 2.6 is dead, dead, dead, dead, dead, dead, dead, dead, dead, dead. PGP 2.6 is highly dependent on MD5, for which *we have already seen in-the-wild signature forgeries*. That deserves to be underlined and highlighted and carved in twelve-foot-high flaming letters. Anyone using PGP 2.6 today is either in resolute denial of the facts or totally clueless. For this reason, I have no interest in helping out PGP 2.6 users. If they really want to migrate to OpenPGP, then yes, let's do what we can to help in the migration. But anything that lets them continue to stick their heads in the sand and deny reality is -- well, without passing moral judgment on that, I have zero interest in helping. Were it up to me, PGP 2.6 support in GnuPG would be reduced to read-only. So be thankful Werner isn't paying attention to my preferences. :) ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: ideal.dll
On Fri, 22 Jun 2012 14:18:25 -0400 Robert J. Hansen r...@sixdemonbag.org wrote: If people want to keep using PGP 2.6, let them, but I'm not going to help them do it. Were it up to me, PGP 2.6 support in GnuPG would be reduced to read-only. So be thankful Werner isn't paying attention to my preferences. :) Actually, I don't mind 'read only' ;-) (The vast majority of v3 users have little interest in anything other than pgp 2.x, and aren't asking for anyone's support, and can always be reached with pgp 2.x. (You might be interested to 'just look' at Disastry's multi 6 version, not necessary to use md5 or idea) WK said that the new libcrypt will support idea. Gnupg 2.x allows importing v3 keys. I have a great many encrypted e-mails and files that were done with v3 keys, (some of them by people no longer in the land of the living ;-(( ) It is useful to be able to decrypt them, and nostalgic to see their verified signatures, and am thankful to WK for allowing this in gnupg 1.x, and soon in gnupg 2.x. Am somewhat surprised by the unprovoked V3 rants, when I asked for nothing from anyone, and only thanked WK for allowing it to happen. vedaal ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: ideal.dll
On 06/22/2012 02:52 PM, ved...@nym.hush.com wrote: Am somewhat surprised by the unprovoked V3 rants, when I asked for nothing from anyone, and only thanked WK for allowing it to happen. Your characterization of adding the key length is a trivial [something] is what irritated me. As I mentioned, it's not trivial, it doesn't fix the real underlying problem, it complicates things, and we should be pushing people to move to v4 keys anyway. IMO, any time spent talking about how to 'fix' PGP 2.6 is unserious and wasted. You can't fix it. You can't even mitigate the damage, since forged MD5 signatures are now known to be in the wild. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: ideal.dll
On Fri, Jun 22, 2012 at 02:18:13PM -0400, Robert J. Hansen wrote: On 6/22/2012 1:44 PM, ved...@nym.hush.com wrote: As you mentioned earlier, the v3 people have an entrenched user- base, and are hardly novices, and 'for them', listing the keysize with the fingerprint, really is trivial. If people want to keep using PGP 2.6, let them, but I'm not going to help them do it. If people want an emergency stopgap while they migrate to OpenPGP, I'll happily help. Unfortunately, at this point essentially all the people who would migrate have already migrated. There are people using v3 keys that are not using MD5 (other than the fingerprint, obviously). I am one of them. My v3 key (0x560553e7) has v4 self-signatures on it, none of which recommend MD5. All of the preferences are for algorithms presently considered strong (except SHA-1, but removing that isn't possible, unfortunately). Obviously, I'm not using PGP 2.6, since it won't read my key. I have moved to using a v4 key for everyday usage, but my v3 key still has more signatures on it than my v4 key, and I am not planning on revoking it by any means. I still accept signatures on it and data encrypted to it, just like I do with my v4 key. -- brian m. carlson / brian with sandals: Houston, Texas, US +1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187 signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users