On Sun, 25 Dec 2011 01:23, drfar...@acm.org said: > self-signed x509 certs via gpgsm as a mechanism for encryption. > Unfortunately all I get back from gpgsm is "No Value". The output of
That is a misleading error message. You should also enable gpg-agent logging in gpg-agent.conf to see the real problem. > $ gpgsm -v --debug-level=guru -r > 'A17951D33720CCE03E1065ABB7BBC16CC11CCBB9' -e < /dev/urandom Surely you are joking, Daniel. Encrypting an endless random stream is not very practical ;-). > --encrypt --recipient $FINGERPRINT) fails. By contrast, it's more or > less straightforward to generate an OpenPGP key, trust it, and then > encrypt an archive with it, and that works as expected. Welcome to the world of X.509. More seriously, the problem is that you need to trust a given certificate and X.509 requires a PKI for it. Thus you need some kind of root certificate which is flagged as trusted. With the proper options (gpg-agent's --allow-mark-trusted) you can do that for a self-signed certificate. In theory we could add a validation model to gpgsm which always trusts a certificate. In 2.1beta3, we added the validation model "seed" which does something like this. It trusts all root certificates with a special attribute. If you add this this attribute to your certificate you are done. However, the actual idea behind that feature is, that you use a well known private key and certifciate to issue your certificates (dubbed, the STEED Self-Signing Nonthority). In the end it is the same as a self-signed certificate. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
