Re: How know who is a file encrypted for ?

2008-02-28 Thread Dirk Traulsen
Am 28 Feb 2008 um 10:04 hat Wilhelm Müller geschrieben:

> > On Wed, 27 Feb 2008 13:23:34 -0500, David Shaw
> <[EMAIL PROTECTED]> said:
>
> David> Why?
> 
> David> I'm serious - what is the use case here?  How often do
> David> people need to list all recipients of a file? 
> 
> I agree with David, 

David didn't say he doesn't want this new command, but asked seriously 
for some use cases.

> especially since the desired feature is already present, though
> somewhat hidden: 
> 
> gpg --list-only --verbose encrypted_file.gpg

It kind of partially works. With --verbose it at least mentions your 
own subkeys, but still doesn't print the uids or the primary keyid. 
No nice consistent output and a 'somewhat hidden' command.
If you prefer not changing anything then Davids tip is much better.

Dirk



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: How know who is a file encrypted for ?

2008-02-28 Thread Wilhelm Müller
> On Wed, 27 Feb 2008 13:23:34 -0500, David Shaw <[EMAIL PROTECTED]> said:

David> On Wed, Feb 27, 2008 at 06:55:28PM +0100, Dirk Traulsen wrote:
[...]
>> > >C:\>gpg --recipient-keys ENCRYPTED_FILE.gpg
[...]
>> So at least three people think it would be a good addition.

David> Why?

David> I'm serious - what is the use case here?  How often do people need to
David> list all recipients of a file?

I agree with David, especially since the desired feature is already
present, though somewhat hidden:

gpg --list-only --verbose encrypted_file.gpg

(Btw: It's in the manual...)

Wilhelm

-- 

There are 10 types of people in the world: Those who understand
binary, and those who don't.

-- 

  fixed pitch fonts! **
  Wilhelm Müller  [EMAIL PROTECTED] (o_
  (o_  (o_  //\
  1024D/2048g  5E6E CF83 B15E C7ED 1A31   (/)_ (/)_ V_/_
   F9435BF6E9F3 F509 FD7B F943 5BF6 © N.Smith

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: How know who is a file encrypted for ?

2008-02-28 Thread Dirk Traulsen
Am 27 Feb 2008 um 13:23 hat David Shaw geschrieben:

> On Wed, Feb 27, 2008 at 06:55:28PM +0100, Dirk Traulsen wrote:
> > > >What I meant, was something like this mockup:
> > > == 
> > > >C:\>gpg --recipient-keys ENCRYPTED_FILE.gpg
> > > >gpg: file ENCRYPTED_FILE.gpg was encrypted to the following keys:
> > > 
> > > 
> > > i agree, and would welcome this as well,
> > 
> > Thanks. 
> > So at least three people think it would be a good addition.
> 
> Why?
> 
> I'm serious - what is the use case here?  How often do people need to
> list all recipients of a file? 

I want to list just some use cases, where you only need the recipients 
and not the encrypted file content. I'm sure there are many more.

1. control
Your coworker encrypted an important file and you want to control 
whether it has the correct set of recipient keys before sending or 
archiving it.

2. curiosity
You want to know who else is getting the information in the file 
because he is also able to decrypt the file (I know about hidden-
recipient.)

3. finding
You don't remember the exact name of the file. But you know it was 
encrypted to XYZ also.

4. sorting
You want to sort the encrypted files in an archive depending on the 
recipients.


> By the way:
>   gpg --no-default-keyring --secret-keyring /dev/null the-file.gpg

Cool. This is an interesting possibility to nearly get what I asked 
for, but not very user friendly. I now have this excellent tip from 
you, but I think it would be nice to have a clearly named command which 
people can find in the manual. 
--list-recipients would be an excellent name, I think.
Ideally additionally in a --with-colons format for easier scripting.  

Dirk

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: How know who is a file encrypted for ?

2008-02-27 Thread vedaal
On Wed, 27 Feb 2008 16:17:01 -0500 John Clizbe <[EMAIL PROTECTED]> 
wrote:

>>>By the way:
>>>  gpg --no-default-keyring --secret-keyring /dev/null the-
>file.gpg
>> 
>> what is the correct command on Windows ?
>
>gpg --no-default-keyring --secret-keyring nul the-file.gpg

i can't get it to work :-((

i get the same gpg output as when trying to decrypt any file

gpg lists whatever public keys are not in my keyring,
and then asks me for a passphrase for the first key in my secret 
ring,
and then, if that one is wrong, goes onto the next one,
and only, if the passphrases are wrong for all the keys,
then gpg lists all the keys the message was encrypted to


vedaal

any ads or links below this message are added by hushmail without 
my endorsement or awareness of the nature of the link


--
Compete with the big boys.  Click here to find products to benefit your 
business.
http://tagline.hushmail.com/fc/Ioyw6h4eDJdZDQq9RXV2uE440Pzoe8316d8SBZLT9HkGZ3OLjFffVl/


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: How know who is a file encrypted for ?

2008-02-27 Thread John Clizbe
[EMAIL PROTECTED] wrote:
> David Shaw dshaw at jabberwocky.com
> wrote on Wed Feb 27 19:23:34 CET 2008 :
> 
>>By the way:
>>  gpg --no-default-keyring --secret-keyring /dev/null the-file.gpg
> 
> what is the correct command on Windows ?

gpg --no-default-keyring --secret-keyring nul the-file.gpg

or if you prefer NUL: (case is insignificant)


-- 
John P. Clizbe   Inet:   JPClizbe (a) tx DAWT rr DAHT con
Ginger Bear Networks hkp://keyserver.gingerbear.net
"Be who you are and say what you feel because those who mind don't matter
and those who matter don't mind." - Dr Seuss, "Oh the Places You'll Go"



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: How know who is a file encrypted for ?

2008-02-27 Thread vedaal
David Shaw dshaw at jabberwocky.com
wrote on Wed Feb 27 19:23:34 CET 2008 :

>By the way:
>  gpg --no-default-keyring --secret-keyring /dev/null the-file.gpg
.....

what is the correct command on 'windows' ?

TIA,

vedaal

any ads or links below this message are added by hushmail without 
my endorsement or awareness of the nature of the link

--
Save big on a huge selection of discount auto parts. Click now!
http://tagline.hushmail.com/fc/Ioyw6h4eju29Wdh6ZQ7gb864RUMIeiLzQ3G92VUIgkleWNXUrxkIyj/


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: How know who is a file encrypted for ?

2008-02-27 Thread David Shaw
On Wed, Feb 27, 2008 at 06:55:28PM +0100, Dirk Traulsen wrote:
> > >What I meant, was something like this mockup:
> > == 
> > >C:\>gpg --recipient-keys ENCRYPTED_FILE.gpg
> > >gpg: file ENCRYPTED_FILE.gpg was encrypted to the following keys:  
> > 
> > 
> > i agree, and would welcome this as well,
> 
> Thanks. 
> So at least three people think it would be a good addition.

Why?

I'm serious - what is the use case here?  How often do people need to
list all recipients of a file?

By the way:
  gpg --no-default-keyring --secret-keyring /dev/null the-file.gpg

David

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: How know who is a file encrypted for ?

2008-02-27 Thread Dirk Traulsen
Am 27 Feb 2008 um 9:51 hat [EMAIL PROTECTED] geschrieben:

> Dirk Traulsen dirk.traulsen at lypso.de
> wrote on Wed Feb 27 10:00:25 CET 2008
> 
> >You don't believe me to enter 9 times a complete passphrase, do 
> you?
> 
> i agree with you completely that it would be a major annoyance to 
> have to enter a complete passphrase, even 3 times, 
> and certainly would be very annoying to enter it 9 times,
> 
> my point was that you don't need to enter the *complete* passphrase 
> at all, or even 'any' part of it,
> 
> all you have to do is press the 'enter' key without typing 
> *anything*

Oh God! You REALLY thought I am so stupid that I type in complete 
passphrases 9 times. I cannot believe it. I first thought you made fun 
on me. Do I really sound like a complete moron here?

1. I thought, it was self-evident that one just hits  to go 
through the questions, so I didn't mention it.

2. And to repeat myself:
The examples I described for wish number one, where not MY scenarios I 
LIKE to have at home! There I'm in control of the computer and I can 
setup everything logical and secure.
But when you are NOT in control of the computer you are supposed to 
work with and you experience a scenario like I described, then you just 

have to live with it. (Which might be a bit more comfortable, that's 
all.)


On to the obviously more realistic wish number 2: --recipient-keys

> >What I meant, was something like this mockup:
> == 
> >C:\>gpg --recipient-keys ENCRYPTED_FILE.gpg
> >gpg: file ENCRYPTED_FILE.gpg was encrypted to the following keys:  
> 
> 
> i agree, and would welcome this as well,

Thanks. 
So at least three people think it would be a good addition.

Dirk



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


re: How know who is a file encrypted for ?

2008-02-27 Thread vedaal
vedaal at hush.com vedaal at hush.com
wrote o Wed Feb 27 15:51:05 CET 2008


>What I meant, was something like this mockup:
== 
>C:\>gpg --recipient-keys ENCRYPTED_FILE.gpg
>gpg: file ENCRYPTED_FILE.gpg was encrypted to the following keys:  


actually, gnupg already does this when decrypting, 
but only after the passphrases are entered incorrectly for each key

in the example i posted,
here is the gnupg output after intentionally giving the wrong 
passphrases for each of the keys:


gpg: Invalid passphrase; please try again ...

You need a passphrase to unlock the secret key for
user: "1 <[EMAIL PROTECTED]>"
2048-bit RSA key, ID 756C91DE, created 2005-12-01

:encrypted data packet:
length: 90
mdc_method: 2
gpg: encrypted with 2048-bit RSA key, ID 756C91DE, created 2005-12-
01
  "1 <[EMAIL PROTECTED]>"
gpg: public key decryption failed: bad passphrase
gpg: encrypted with 1024-bit ELG-E key, ID F0E74948, created 2002-
01-15
  "boo <[EMAIL PROTECTED]>"
gpg: public key decryption failed: bad passphrase
gpg: encrypted with 2048-bit RSA key, ID 495CA15B, created 2005-12-
01
  "1 <[EMAIL PROTECTED]>"
gpg: public key decryption failed: bad passphrase
gpg: encrypted with 2048-bit RSA key, ID F9015496, created 2005-12-
01
  "1 <[EMAIL PROTECTED]>"
gpg: public key decryption failed: bad passphrase
gpg: decryption failed: secret key not available

c:\gnupg>


so,
a simple workaround to see which keys a message is encrypted to,
is to just type:

gpg filename

and press the 'enter' key quickly and repeatedly until gnupg gives 
the 'failed decryption' message, and lists all the keys

(also not too hard to live with ...  ;-)  )


vedaal

any ads or links below this message are added by hushmail without 
my endorsement or awareness of the nature of the link


--
Need cash? Click to get a cash advance.
http://tagline.hushmail.com/fc/Ioyw6h4dP5JPpivsACr8uRGuNoIGIPHVi2hu11IoWuXXcqfw85CjFt/


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


re : How know who is a file encrypted for ?

2008-02-27 Thread vedaal
Dirk Traulsen dirk.traulsen at lypso.de
wrote on Wed Feb 27 10:00:25 CET 2008

>You don't believe me to enter 9 times a complete passphrase, do 
you?

i agree with you completely that it would be a major annoyance to 
have to enter a complete passphrase, even 3 times, 
and certainly would be very annoying to enter it 9 times,

my point was that you don't need to enter the *complete* passphrase 
at all, or even 'any' part of it,

all you have to do is press the 'enter' key without typing 
*anything*

pressing the 'enter' key 9 times quickly, is something i can live 
with without bothering the developers
(they were nice enough to include the option of being able to see 
the passphrase as it is typed in, after i requested it),
[belated THANKS !!! ;-)  ]


>What I meant, was something like this mockup:
== 
>C:\>gpg --recipient-keys ENCRYPTED_FILE.gpg
>gpg: file ENCRYPTED_FILE.gpg was encrypted to the following keys:  


i agree, and would welcome this as well,
also agree that the pgpdump provides extra distracting information,
when all one is interested in, is finding out who the encrypted 
recipients are

only brought up pgpdump as a useful solution until this could be 
done,
(it lets you see how many times you need to press 'enter' to get to 
your key)

and also, that since it is open source,
it might be easier for the developers look at it and add a modified 
patch to have gnupg do the 'gpg --recipient-keys' option as you 
suggested

(btw, 
i made a mistake in my example, it was encrypted to 4 keys instead 
of 5, i forgot i turned of my 'encrypt to default key' option  ;-(  
)


vedaal

any ads or links below this message are added by hushmail without 

--
Click to get a free auto insurance quotes from top companies.
http://tagline.hushmail.com/fc/Ioyw6h4d8EHyLkuT6PZ33RrS131T3H2ZH6Fus2c3hJ5Yj08REzU9VV/
my endorsement or awareness of the nature of the link


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: How know who is a file encrypted for ?

2008-02-27 Thread Sebastien Chassot

On Wed, 2008-02-27 at 10:00 +0100, Dirk Traulsen wrote:

> You don't believe me to enter 9 times a complete passphrase, do you?
> You are right, that it is possible to live with it, but why not 
> implement something more comfortable if it doesn't lower the security 
> level?
> 
> 

> While pgpdump gives an really interesting output, it does not deliver 
> what I asked for:
> A nicely formated list of the recipients of an encrypted file.
> 

I agree, normal users may want user friendly output and developers want
full debugging  output. There is two need and now only full (heavy)
output is available. 

Obviously users can make it with sed and awk but if there do so they are
developers and like verbose output ;)






___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: How know who is a file encrypted for ?

2008-02-27 Thread Dirk Traulsen
Am 26 Feb 2008 um 9:55 hat [EMAIL PROTECTED] geschrieben:
> 
> Am 26 Feb 2008 um 8:48 hat [EMAIL PROTECTED] geschrieben:
> > 
> >1. If there are several recipients, test the given passphrase
> >automatically for all secret keys in your keyring, so that you don't
> >have to give for example 9 times a wrong one if you are recipient
> >number four, which you even don't know beforehand. 
> 
> it isn't necessary to enter the passphrase at all just press 
> repeatedly until you reach the recipient you want (you'll still need 9
> 'enter's for your example ;-) but hardly such a tedious task) 

You don't believe me to enter 9 times a complete passphrase, do you?
You are right, that it is possible to live with it, but why not 
implement something more comfortable if it doesn't lower the security 
level?


> >2. A command which lists the recipients of an encrypted file.
> 
> or maybe an upgrade of gpg list packets, to include the recipient 
> listing the way pgpdump does
> 
> pgpdump immediately lists all the keyid's a message is encrypted to,
> and does so in the same order of recipients, as gnupg uses to ask 
> for the passphrase 

What I meant, was something like this mockup:
== 
C:\>gpg --recipient-keys ENCRYPTED_FILE.gpg

gpg: file ENCRYPTED_FILE.gpg was encrypted to the following keys:  

gpg: encrypted with 2048-bit ELG-E key, ID 1643B926, created 2002-01-28
  "David M. Shaw <[EMAIL PROTECTED]>"
gpg: encrypted with 4096-bit ELG-E key, ID E192093D, created 2005-10-21
  "Dirk Traulsen (dtl-2) <[EMAIL PROTECTED]>"
gpg: secret key with ID E192093D in keyring
gpg: encrypted with 2048-bit RSA key, ID 85306D25, created 2000-09-05
  "vedaal nistar <[EMAIL PROTECTED]>"
gpg: encrypted with RSA key, ID 710ACD97
gpg: encrypted with RSA key, ID 01B0C12D

C:\>
==  
As you can easily see, there are 5 recipients: 3 in public keyring with 
1 secret key in secret keyring, 2 not in keyring  

This is the result, I get from your example:

  PGPdump Results

Old: Public-Key Encrypted Session Key Packet(tag 1)(268 bytes)
 New version(3)
 Key ID - 0x7DC4274AF9015496
 Pub alg - RSA Encrypt or Sign(pub 1)
 RSA m^e mod n(2047 bits) - ...
 -> m = sym alg(1 byte) + checksum(2 bytes) + PKCS-1 block type 02

Old: Public-Key Encrypted Session Key Packet(tag 1)(268 bytes)
 New version(3)
 Key ID - 0xA306C37B495CA15B
 Pub alg - RSA Encrypt or Sign(pub 1)
 RSA m^e mod n(2045 bits) - ...
 -> m = sym alg(1 byte) + checksum(2 bytes) + PKCS-1 block type 02
(...)
==

While pgpdump gives an really interesting output, it does not deliver 
what I asked for:
A nicely formated list of the recipients of an encrypted file.

Dirk

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: How know who is a file encrypted for ?

2008-02-26 Thread vedaal
>Date: Tue, 26 Feb 2008 08:48:57 +0100
>From: "Dirk Traulsen" <[EMAIL PROTECTED]>
>Subject: Re: How know who is a file encrypted for ?


>1. If there are several recipients, test the given passphrase 
>automatically for all secret keys in your keyring, so that you 
>don't 
>have to give for example 9 times a wrong one if you are recipient 
>number four, which you even don't know beforehand.

it isn't necessary to enter the passphrase at all
just press  repeatedly until you reach the recipient you want
(you'll still need 9 'enter's for your example ;-)
but hardly such a tedious task)


>2. A command which lists the recipients of an encrypted file.

or maybe an upgrade of gpg list packets, to include the recipient 
listing the way pgpdump does

pgpdump immediately lists all the keyid's a message is encrypted to,
and does so in the same order of recipients, as gnupg uses to ask 
for the passphrase 

here is a sample message encrypted to multiple keys:

-BEGIN PGP MESSAGE-
Version: GnuPG v1.4.5 (MingW32)
Comment: encrypted to 5 recipients

hQEMA33EJ0r5AVSWAQf/VLQ6Olu6blS14quefUC14MFPkNhBrtrb9BjZZhlf7UPQ
n4KAbfCOMjyKsmQMidraUGbLVfvzOh74blBOvy56MmqI9nAwc6abA+pHx6NUPxL+
HCu4s8NAxkebJkdNDwKLUG3NEUFLkh1Z31ItzpePQl8rpE7/BTkffr2HwRid5AZg
r5OPcbky5r6WFdlcg/wzR8v593TaEkR5XcCMUuR3wBbXVeTuMVhJkxOF46G4aJ7+
Jcf9PUWMD2rGuUPrThpa608ueje0wsq4LLDeFPLS1905vq2IuTvY7djaANLHay8T
fUUENU+Dr75P/SlaKJ26bX2hhD/GnojdKIVY80A564UBDAOjBsN7SVyhWwEH/RNu
QBpgqjIToFJPTRB8ZWo+V5KKQUrR9sNK0gR16TRnAhovpUVmlPPfW/VsSO86Crz4
RQ9elc330hwdW6sgcyAoVxFO57rcvnr7gyXIki/20r2cZHKEytA0j4NlIS1iERpo
vPoPQmuWuKujmM975goLKXp0/4FuqnD9W3WzjHxRtMq/+/MkEUIW1q8WWzlPoFIq
nuuDS/b1MsdsrTDiQLGqzJoDijtAZ2OCot5LB5jYlhiAAG12InCD2y7s56huj95c
+4HRpB7xwA7QIiA0LtIgMTaGO7C8B6joZWe8rt0HlqQVjdXic9zcUhAFNXDrqShz
nqwSFcVrbht/kUIcATCFAQ4D2RmnrvDnSUgQA/0a7o1am71UgJu22opIrz1x9Iag
94hBct+j8iR7H8EuMctwdfFxVVH+Dn3cOvYDkbjOLIY8zU1wyjdW6AqvVoRQ4aws
NPdAqp811stDM41PNa4Uo5hCX/Pf3426eepjYTWLqOMQBSQAU9S1KtIAdKq8TfFg
ABvSTPINkTDcR7Q83AQA6MYMmlK5JvbspAkRQnpygIe43d2Wxx9E7zejVkYRNvai
iIDO4g4YG48x+AS2JHsuwm+XOY28SCqpJihHlnsZCP1F9+eFH1KGfMsGPZKZijpf
yOIUCliXVWsoi2eKQAhRUp76LR94pN2pGF+K2WrOM7hbSTBr+zVhdjagYRhu4MGF
AQwDndLzwHVskd4BB/4qMQ7ClUo6YS6J7aiC50VK9HR5voik4PznLYhrrHpaow0R
85/Gprwr1RS0muk9upFZFX6SDZw/PB72rjgQV2Lb7AV0htuuivmn3Q6vnxWNMd1e
jhk/bMfxtRIR+AVezMbGzLbslBOyW9lmT9z6n7JcIP47ZYLiZ3/jdm/4/DbUhSIj
N3D/E9EHpkHo/OnCHE+HpPqbC8jWQGNmN2aUURlPpfVgpChDB1XUeOu8t0UkNOxK
6M3auZM6GA7a5lDiGxMVxtYmvCrAwyj98zknhRB6lGigl+jmHBi67CJei+85v2Ee
SpQxdsFLgTyiz7RWC8HIKp/MFbPQOCVLFtQRKvAi0loB/GI8tmITfTYRHyZEp0vZ
IKnWsKyerAefPBwqZcmDHOUOboayfxbnc0TYElxyzWbL8tsVfJPT5utQG+15W+CF
aJoLiVGt3JnWgch44ePEkqo+y1n9f4CKNzs=
=Md62
-END PGP MESSAGE-

here is the pgpdump web interface:
http://www.pgpdump.net/

and here is the pgpdump home site and links for sourcecode:
http://www.mew.org/~kazu/proj/pgpdump/


vedaal

any ads or links below this message are added by hushmail without 
my endorsement or awareness of the nature of the link

--
Save hundreds on getting a Web Design Degree. Click here.
http://tagline.hushmail.com/fc/Ioyw6h4fMueeWAGklrZP73ctJCCuFleiu0xJwUnBcDXi24RgBh6I4f/


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: How know who is a file encrypted for ?

2008-02-26 Thread Dirk Traulsen
Am 26 Feb 2008 um 9:40 hat Sven Radde geschrieben:

> Hi!
> 
> Dirk Traulsen schrieb:
> > b. some keys do not belong to me in a common keyring.
> 
> I am really not sure whether that is a good idea at all. Granting other
> people (write!) access to my secret keyring would be a troubling
> thought, even though I am not currently aware of any practical
> exploits. 
> 
> I do not know your threat model but I cannot imagine many benefits for
> such a setup.

You are completely right that this is nothing for a maximum security 
usage, not the scenario one would like to have and not what I have at 
home.
But think of one computer which is used together by several people in a 
working group or a shared flat. As the computer itself is physically 
reachable to several people you have no other chance as to trust these 
people not to mess with the computer. In these cases where there is no 
high security possible, you don't really get more security by using 
different keyrings. 

Dirk


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: How know who is a file encrypted for ?

2008-02-26 Thread Sven Radde

Hi!

Dirk Traulsen schrieb:

b. some keys do not belong to me in a common keyring.

I am really not sure whether that is a good idea at all.
Granting other people (write!) access to my secret keyring would be a 
troubling thought, even though I am not currently aware of any practical 
exploits.


I do not know your threat model but I cannot imagine many benefits for 
such a setup.


cu, Sven

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: How know who is a file encrypted for ?

2008-02-25 Thread Dirk Traulsen
The two wishes I listed for gpg were:

1. If there are several recipients, test the given passphrase 
automatically for all secret keys in your keyring, so that you don't 
have to give for example 9 times a wrong one if you are recipient 
number four, which you even don't know beforehand.

2. A command which lists the recipients of an encrypted file.

The first proposal is much more interesting as it would remedy a 
nuisance if you regularly work with files with several recipients.

I really don't see a possible security problem here. 
Passphrases are to decrypt symmetrically the secret keys, nothing else. 
So we are only talking about secret keys in the keyring where
a. all keys belong to me or
b. some keys do not belong to me in a common keyring.

In case a. there is no problem, I just give the first asked passphrase. 
But in case b, where it is the nuisance I described, you could only be 
unsure whether someone could guess your password. This is a completely 
different problem but has nothing to do with my proposal as now gpg 
also asks you three times to give a passphrase for these keys. You see, 
nothing changes securitywise.

What I would like:
gpg encrypted_file.gpg
-> output nice list of the recipients with UIDs (ideally with
indication, which one is in the secret keyring)
-> ask for passphrase if at least one is in the secret keyring,
otherwise tell that you can't decrypt the file
-> test each secret key in the secret keyring with the passphrase
-> if there was a hit, tell so and decrypt
-> if not, give two more chances


For the second wish Tracy D. Bossong mentioned
> gpg --list-packets --list-only
as a solution, which goes at least a bit in the right direction as it 
lists all the keyids. Interestingly it lists nicely the keys for which 
there is no secret key in our keyring, like David Shaws in this 
example.

C:\>gpg --list-packets --list-only file.gpg
:pubkey enc packet: version 3, algo 16, keyid 79F51929AC2E2384
data: [4096 bits]
data: [4096 bits]
:pubkey enc packet: version 3, algo 16, keyid E3B52841743DD3E2
data: [4096 bits]
data: [4093 bits]
:pubkey enc packet: version 3, algo 16, keyid AE2827D11643B926
data: [2047 bits]
data: [2046 bits]
:pubkey enc packet: version 3, algo 16, keyid 9166EB1E0B9DCED2
data: [4095 bits]
data: [4096 bits]
:encrypted data packet:
length: 81
mdc_method: 2
gpg: verschlüsselt mit 2048-Bit ELG-E Schlüssel, ID 1643B926, erzeugt 
2002-01-28
  "David M. Shaw <[EMAIL PROTECTED]>"

C:\>

What I proposed with --recipient-keys is an output of a nice list of 
all the recipient keys like the last one here. 
And why not by the way even highlight for which one you have the secret 
key in the keyring?

Dirk

PS: Tracy, you seem to have a serious problem with your citing of other 
mails. You are citing them
one
word
per 
line. 
To be sure that it is no artefact on my side, I checked the archives.
See http://marc.info/?l=gnupg-users&m=120397363028142
and compare to below. There is definitely something wrong on your side.

> - Original Message 
> From: Dirk Traulsen <[EMAIL PROTECTED]>
> To: 
> Cc: GnuPG mailing list 
> Sent: Monday, February 25, 2008 12:27:56 PM
> Subject: Re: How know who is a file encrypted for ?
> 
> 
> Am 
> 25 
> Feb 
> 2008 
> um 
> 8:01 
> hat 
> Tracy 
> D. 
> Bossong 
> geschrieben:
> 
> > 
> gpg 
> --list-packets 
> should 
> give 
> you 
> a 
> clue
> 
> No, 
> it 
> does 
> not!
>  --list-packets 
> file.gpg>  
> does 
> the 
> same 
> as  
>  file.gpg>.
> The 
> only 
> difference 
> is 
> that 
> gpg 
> gives 
> additional 
> packet 
> information 
> before 
> asking 
> the 
> passphrases 
> three 
> times 
> for 
> each 
> recipient. 
(...)
I stop copying here. This should be enough to show the problem.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: How know who is a file encrypted for ?

2008-02-25 Thread Tracy D. Bossong
gpg --list-packets --list-only  

but clearly you identified yourself as a recipient because you were prompted 
for a passphrase.

- Original Message 
From: Dirk Traulsen <[EMAIL PROTECTED]>
To: 
Cc: GnuPG mailing list 
Sent: Monday, February 25, 2008 12:27:56 PM
Subject: Re: How know who is a file encrypted for ?


Am 
25 
Feb 
2008 
um 
8:01 
hat 
Tracy 
D. 
Bossong 
geschrieben:

> 
gpg 
--list-packets 
should 
give 
you 
a 
clue

No, 
it 
does 
not!
  
does 
the 
same 
as  
.
The 
only 
difference 
is 
that 
gpg 
gives 
additional 
packet 
information 
before 
asking 
the 
passphrases 
three 
times 
for 
each 
recipient. 
So 
the 
described 
problem 
for 
an 
encrypted 
file 
with 
several 
recipients 
stays 
the 
same.
=
C:\>gpg 
--list-packets 
file.gpg
:pubkey 
enc 
packet: 
version 
3, 
algo 
16, 
keyid 
F2A47460E192093D
  
  
  
  
data: 
[4095 
bits]
  
  
  
  
data: 
[4095 
bits]

You 
need 
a 
passphrase 
to 
unlock 
the 
secret 
key 
for
user: 
"Dirk 
Traulsen 
(dtl-2) 
<[EMAIL PROTECTED]>"
4096-bit 
ELG-E 
key, 
ID 
E192093D, 
created 
2005-10-21 
(main 
key 
ID 
CDDB9911)

Please 
enter 
the 
passphrase:
=

Dirk 
Traulsen


___
Gnupg-users 
mailing 
list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: How know who is a file encrypted for ?

2008-02-25 Thread Dirk Traulsen
Am 25 Feb 2008 um 8:01 hat Tracy D. Bossong geschrieben:

> gpg --list-packets should give you a clue

No, it does not!
  does the same as  .
The only difference is that gpg gives additional packet information 
before asking the passphrases three times for each recipient. So the 
described problem for an encrypted file with several recipients stays 
the same.
=
C:\>gpg --list-packets file.gpg
:pubkey enc packet: version 3, algo 16, keyid F2A47460E192093D
data: [4095 bits]
data: [4095 bits]

You need a passphrase to unlock the secret key for
user: "Dirk Traulsen (dtl-2) <[EMAIL PROTECTED]>"
4096-bit ELG-E key, ID E192093D, created 2005-10-21 (main key ID 
CDDB9911)

Please enter the passphrase:
=

Dirk Traulsen


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: How know who is a file encrypted for ?

2008-02-25 Thread Sebastien Chassot

On Mon, 2008-02-25 at 08:01 -0800, Tracy D. Bossong wrote:
> gpg --list-packets should give you a clue
> 
Yes true! I'm not use using it cos it's only mentioned in man page and
not in help (and I don't rtfm enough ;)





___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: How know who is a file encrypted for ?

2008-02-25 Thread Tracy D. Bossong
gpg --list-packets should give you a clue

- Original Message 
From: Sebastien Chassot <[EMAIL PROTECTED]>
To: Dirk Traulsen <[EMAIL PROTECTED]>
Cc: GnuPG mailing list 
Sent: Monday, February 25, 2008 7:29:43 AM
Subject: Re: How know who is a file encrypted for ?



On 
Mon, 
2008-02-25 
at 
09:59 
+0100, 
Dirk 
Traulsen 
wrote:

> 
If 
you 
are 
the 
third 
recipient, 
you 
have 
to 
give 
6 
times 
a 
wrong 
> 
password 
until 
you 
can 
finally 
input 
the 
correct 
one. 
This 
gets 
real 
> 
fun 
when 
there 
are 
ten 
recipients...
> 
> 
It 
would 
be 
nice, 
if 
> 
1. 
gpg 
would 
take 
the 
password 
and 
test 
it 
automatically 
with 
all 
> 
recipients 
keys.
> 

1a. 
If 
there 
would 
be 
a 
hit, 
fine.
> 

1b. 
If 
there 
was 
no 
hit, 
print 
a 
list 
of 
all 
recipient 
keys 
and 
give
> 


 
two 
more 
chances 
for 
a 
correct 
password.
> 
2. 
there 
would 
be 
a 
command 
--recipient-keys 
which 
would 
just 
list 
all 
> 
recipient 
keys 
of 
an 
encrypted 
file, 
so 
I 
could 
see 
in 
advance 
whether 
> 
my 
key 
is 
one 
of 
them.
> 

I 
thought 
it 
wasn't 
any 
command 
for 
security 
reason, 
but 
I 
agree 
it
seems 
a 
basic 
functionality 
is 
missing.

Maybe 
a 
command 
giving 
complete 
information 
on 
a 
file 
would 
be 
useful
too. 
I 
mean 
a 
signed 
file 
and 
an 
encrypted 
file 
have 
both 
.gpg 
extension
and 
are 
hard 
to 
distinguish, 
aren't 
they 
?


Or 
the 
--verify 
command 
could 
be 
more 
verbose 
and 
list 
recipient's
keys 
?

$ 
gpg 
--verify 
encrypted_file.gpg
gpg: 
verify 
signatures 
failed: 
unexpected 
data

$ 
gpg 
--verify 
signed_file.gpg
gpg: 
Signature 
made 
...
gpg: 
Good 
signature 
from 
...




___
Gnupg-users 
mailing 
list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: How know who is a file encrypted for ?

2008-02-25 Thread Sebastien Chassot

On Mon, 2008-02-25 at 09:59 +0100, Dirk Traulsen wrote:

> If you are the third recipient, you have to give 6 times a wrong 
> password until you can finally input the correct one. This gets real 
> fun when there are ten recipients...
> 
> It would be nice, if 
> 1. gpg would take the password and test it automatically with all 
> recipients keys.
>   1a. If there would be a hit, fine.
>   1b. If there was no hit, print a list of all recipient keys and give
>two more chances for a correct password.
> 2. there would be a command --recipient-keys which would just list all 
> recipient keys of an encrypted file, so I could see in advance whether 
> my key is one of them.
> 

I thought it wasn't any command for security reason, but I agree it
seems a basic functionality is missing.

Maybe a command giving complete information on a file would be useful
too. I mean a signed file and an encrypted file have both .gpg extension
and are hard to distinguish, aren't they ?


Or the --verify command could be more verbose and list recipient's
keys ?

$ gpg --verify encrypted_file.gpg
gpg: verify signatures failed: unexpected data

$ gpg --verify signed_file.gpg
gpg: Signature made ...
gpg: Good signature from ...




___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: How know who is a file encrypted for ?

2008-02-25 Thread Dirk Traulsen
Am 8 Feb 2008 um 15:23 hat David Shaw geschrieben:

> On Fri, Feb 08, 2008 at 09:07:21PM +0100, Sebastien Chassot wrote:
> > Hi,
> > 
> > I can't find how list who's a file encrypted for ? I've encrypt several
> > files with different recipients, but I don't remember which.
> 
> Just run 'gpg' on the file, and don't give a passphrase.  It prints
> all the possible recipients.

No, not really. gpg asks three times for the password for each 
recipient one after the other. 

If you are the third recipient, you have to give 6 times a wrong 
password until you can finally input the correct one. This gets real 
fun when there are ten recipients...

It would be nice, if 
1. gpg would take the password and test it automatically with all 
recipients keys.
1a. If there would be a hit, fine.
1b. If there was no hit, print a list of all recipient keys and give
 two more chances for a correct password.
2. there would be a command --recipient-keys which would just list all 
recipient keys of an encrypted file, so I could see in advance whether 
my key is one of them.

Dirk

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: How know who is a file encrypted for ?

2008-02-08 Thread David Shaw
On Fri, Feb 08, 2008 at 09:07:21PM +0100, Sebastien Chassot wrote:
> Hi,
> 
> I can't find how list who's a file encrypted for ? I've encrypt several
> files with different recipients, but I don't remember which.
> 
> In general how can I make difference between file encrypted for one
> user, several user ? symmetric encrypted, asymmetric ?

Just run 'gpg' on the file, and don't give a passphrase.  It prints
all the possible recipients.

David

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users