Re: This IS about GD - a proposal on dealing with the problem
* Kurt Fitzner <[EMAIL PROTECTED]> [2005-09-09 19:58 -0600]: > Junk signatures because the form they are being distributed in is > meaningless. Signatures that expire in two weeks in a system which is > evaluated every six months are useful for exactly what, mway I ask? You may remove a key at any time from GD. Nicolas ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: This IS about GD - a proposal on dealing with the problem
David Shaw wrote: >> Also, these are not "junk" signatures. They have semantic meaning, >> and are used by many people. Please clarify what makes a signature a >> "junk" signature. I'd like to understand why you classify them that >> way. Put it the other way round - what useful purpose do they serve? I haven't seen one yet, ergo they are junk. I don't even like the added signatures when a key is edited, unless it is that particular signature that is edited I would prefer to see the original signature date. Cleaning the key removes the older ones, instead of the junk ones. >> Why the outrage? I really don't understand why people are so hopping >> mad about this. Turn on "import-clean" in your gpg.conf and you'll >> never see more than one GD signature at a time. It may do with the nightly builds, but it doesn't yet work on the release version of GPG. Sadly, I doubt PGP corporation would take any notice of a petition - they don't even listen to and reply their paid subscribers comments, never mind those that don't use PGP. Regards, Bob signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg looking for strange additional key upon import (was Re: clean sigs)
Am 9 Sep 2005 um 10:29 hat David Shaw geschrieben: > On Fri, Sep 09, 2005 at 04:18:11PM +0200, Dirk Traulsen wrote: > > > Interestingly there is a difference, whether I use '--import' to get > > a key from a 'key.asc' or '--recv-key' to import it from a > > keyserver. It reproducibly asks for two different, not existing > > keys. On WinXP it is always 0022FB70 when a key gets '--import'ed > > and 0022FA10 when it is '--recv-key'ed. It is the same for Win95, > > but with other key IDs: 0080F760 for '--import' and 0080F8F0 for > > '--recv-key'. > > That looks disturbingly like uninitialized data, but I'm not able to > duplicate it here. > > Here is what I'm doing: > > $ rm ~/.gnupg/trustdb.gpg > $ gpg --import koch.asc > gpg: /home/dshaw/.gnupg/trustdb.gpg: trustdb created > gpg: key 57548DCD: public key "Werner Koch (gnupg sig) > " imported gpg: Total number processed: 1 gpg: > imported: 1 > > Can you give exact steps to follow? Ok, I'll try. First, I did this with gpg 1.4.2 under WinXP and confirmed my findings on another machine with gpg 1.4.2 under Win95. Your machine seems to be Linux. Unfortunately I cannot test gpg 1.4.2 under Linux at the moment. The first output below is what I described the last two days. When there is not at least one public key in the keyring, which has ultimate trust, gpg tries to find non-existing keys upon importing or receiving (but not from new generated keys). See above for the constant key IDs. Today I thought about it and concluded, it could be dependent on a read of the trustdb after a change and not specifically the import. I made some experiments and it seems to be true. When I set the trust- model via gpg.conf to direct or always, this line never comes. I tried to find the simplest situation for you. I hope, this is simple enough: I deleted everything, added one public key (Werners :) ), set it to ultimate trust, set it back to full trust to have the change in the trustdb and issued --list-key. As you can see below, it brings up the bug. And something new: When I ask for the secret keys after the same procedure, it asks for a new third key ID, which is always the same like the other two. And like before, it is the same on Win95, but with a different ID. I hope, this will help you and that maybe somebody else can reproduce it. Dirk + (Delete keyrings and trustdb. I did not delete random_seed. Does it matter? Made new gpg.conf with only one line for shorter output: no-greeting) C:\DOKUME~1\Dirk\ANWEND~1\gnupg>del *.gpg C:\DOKUME~1\Dirk\ANWEND~1\gnupg>del *.bak C:\DOKUME~1\Dirk\ANWEND~1\gnupg>edit gpg.conf (Import previously exported key file => gpg states: no ultimately trusted key 0022FB70 found) C:\DOKUME~1\Dirk\ANWEND~1\gnupg>gpg --import koch.asc gpg: key 57548DCD: public key "Werner Koch (gnupg sig) <[EMAIL PROTECTED]>" imported gpg: Anzahl insgesamt bearbeiteter Schlüssel: 1 gpg: importiert: 1 gpg: kein uneingeschränkt vertrauenswürdiger Schlüssel 0022FB70 gefunden (Next one is just to show, it has nothing to do with Werners key) C:\DOKUME~1\Dirk\ANWEND~1\gnupg>gpg --import binner.asc gpg: key D86A0D19: public key "Stephan Binner <[EMAIL PROTECTED]>" imported gpg: Anzahl insgesamt bearbeiteter Schlüssel: 1 gpg: importiert: 1 gpg: kein uneingeschränkt vertrauenswürdiger Schlüssel 0022FB70 gefunden (Import a new generated, exported and then deleted key => The line comes not!) C:\DOKUME~1\Dirk\ANWEND~1\gnupg>gpg --import koch.asc gpg: key 57548DCD: "Werner Koch (gnupg sig) <[EMAIL PROTECTED]>" not changed gpg: Anzahl insgesamt bearbeiteter Schlüssel: 1 gpg: unverändert: 1 (Fetch key from keyserver (tried several) => gpg states: no ultimately trusted key 0022FA10 found) C:\DOKUME~1\Dirk\ANWEND~1\gnupg>gpg --keyserver random.sks.keyserver.penguin.de --recv-key 08b0a90b gpg: requesting key 08B0A90B from hkp server random.sks.keyserver.penguin.de gpg: key 08B0A90B: public key "PuTTY Releases (DSA) " imported gpg: kein uneingeschränkt vertrauenswürdiger Schlüssel 0022FA10 gefunden gpg: Anzahl insgesamt bearbeiteter Schlüssel: 1 gpg: importiert: 1 +++ (Start again with deleting everything. Made new gpg.conf with only one line for shorter output: no-greeting) C:\DOKUME~1\Dirk\ANWEND~1\gnupg>del *.bak C:\DOKUME~1\Dirk\ANWEND~1\gnupg>del *.gpg C:\DOKUME~1\Dirk\ANWEND~1\gnupg>edit gpg.conf (As before: Import previously exported key file => gpg states: no ultimately trusted key 0022FB70 found) C:\DOKUME~1\Dirk\ANWEND~1\gnupg>gpg --import koch.asc gpg: Schlüsselbund `C:/Dokumente und Einstellungen/Dirk/Anwendungsdaten/gnupg\secring.gpg' erstellt gpg: Schlüsselbund `C:/Dokumente und Einstellungen/Dirk/Anwendungsdaten/gnupg\pubring.gpg' erstellt gpg: C:/Dokumente und Einstellungen/Dirk/Anwendungsdaten/gnupg\trustdb.gpg: tr
Re: clean sigs
Am 9 Sep 2005 um 10:46 hat David Shaw geschrieben: > Unfortunately not, because without the signing key, gpg can't tell if > a signature is valid or not. If there is no way to tell if a > signature is valid then the wrong thing might happen in cleaning. > > Here's an example: > > signature 1 from key 12345678 is dated January 1, 2000. > signature 2 from key 12345678 is dated January 1, 2001. > > It would seem obvious that signature 1 should be removed... but in > fact, signature 1 is valid, and signature 2 is a forgery. If gpg > removes signature 1, then the forger who created signature 2 > effectively "revoked" signature 1. Only if the signing key 12345678 > is present can gpg tell which is the real signature. Ok, now I understand. Maybe it would be helpful to write it in the man page, that you need the key for cleaning. > There is perhaps an argument to be made for a "super clean" that does > clean and also removes any signature where the signing key is not > present (in fact, an early version of clean did that), but that's a > different thing than clean. I think, it would be a good thing to have, especially if you have limited space. The name is funny too. Thank you for your help Dirk ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg looking for strange additional key upon import (was Re: clean sigs)
On Sat, Sep 10, 2005 at 02:21:24PM +0200, Dirk Traulsen wrote: > I hope, this will help you and that maybe somebody else can reproduce > it. Aha! I found the problem. It's actually a bug in the German translation. I was testing in English, so never saw it. I'll file a bug for that. Thanks for your help running this one down. David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [Sks-devel] stripping GD sigs (was: Re: clean sigs) / Feature Request
> I have > friends who currently don't want to use PGP because they fear that their > keys will be uploaded to a keyserver, and then they will be spammed > forever more. Hi, I totally agree what friends of Alphax say. Wouldn't it be cute to have a sepcial option to flag both keys and subkeys as non exportable (uploadable) to keyservers? Speaking of myself at current, I also don't want to see any of my keys posted to a keyserver by someone else, be it on intention or not. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [Sks-devel] stripping GD sigs (was: Re: clean sigs) / Feature Request
On Sat, Sep 10, 2005 at 05:34:53PM +0200, MUS1876 wrote: > > I have > > friends who currently don't want to use PGP because they fear that their > > keys will be uploaded to a keyserver, and then they will be spammed > > forever more. > > Hi, > > I totally agree what friends of Alphax say. > > Wouldn't it be cute to have a sepcial option to flag both keys and > subkeys as non exportable (uploadable) to keyservers? Speaking of myself > at current, I also don't want to see any of my keys posted to a > keyserver by someone else, be it on intention or not. There is such a flag, and GnuPG even sets it by default (type "showpref" in the --edit-key menu and you'll see "keyserver no-modify"). Unfortunately, the keyservers don't honor the flag... David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: This IS about GD - a proposal on dealing with the problem
Bob Henson wrote: Put it the other way round - what useful purpose do they serve? I haven't seen one yet, ergo they are junk. Um, until you actually get appointed ruler of the universe, you don't get to make that decision for everyone else. :) Seriously though, I interact with a lot of people that get their keys from the GD (their choice, and I'm not in a position to argue), so I need to have my key there, and it needs to be signed by the GD system. You can argue whether what pgp.com is doing is wrong all day long, but it is what it is, and therefore I need to be compatible with it. Thus, I really like the clean options, and have the following in my gpg.conf which works splendidly: import-options import-clean-sigs import-clean-uids export-options export-clean-sigs export-clean-uids keyserver-options import-clean-sigs import-clean-uids export-clean-sigs export-clean-uids It may do with the nightly builds, but it doesn't yet work on the release version of GPG. I don't know what you mean about "release version of GPG," but the above works fine with 1.4.2 on both Windows and FreeBSD. hth, Doug -- If you're never wrong, you're not trying hard enough ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [Sks-devel] stripping GD sigs (was: Re: clean sigs) / Feature Request
> I have > friends who currently don't want to use PGP because they fear that their > keys will be uploaded to a keyserver, and then they will be spammed > forever more. Hi, I totally agree what friends of Alphax say. Wouldn't it be cute to have a sepcial option to flag both keys and subkeys as non exportable (uploadable) to keyservers? Speaking of myself at current, I also don't want to see any of my keys posted to a keyserver by someone else, be it on intention or not. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: This IS about GD - a proposal on dealing with the problem
On Fri, Sep 09, 2005 at 02:00:38PM -0600, Kurt Fitzner wrote: > Ok, that other thread isn't about the GD, but this one is. I think this > is something that should be discussed and a consensus reached. > > Are they a good/bad signer? > Does something need to be done about them? > Should they be approached by the community? > > ... > > Signature cleaning and/or filtering is not the answer, just as spam > filtering is not the ultimate answer. The cost to the IT industry of > spam filtering is enormous. Let's deal with the problem at the source. > > Kurt. I think this is public more keyservers design problem than GD. Keyserver should accept new signatures only from key owner. -- Pawel I. Shajdo ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Hushmail troubles...again
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 > I've tried over the past week to send encrypted e-mails to a >friend with a Hushmail address from Kmail on SuSE 9.3 . I've got his >key on my keyring and when I hit the 'send' button, it brings up the >gpg window showing the key I'm using and all that and I enter my >passphrase and it sends away as if there's no problem. The problem is, >it always ends up at the Hushmail place as an attachment and no way to >open it or read it. I even made a Hushmail account for myself and >tried it and it did the same thing for me...it came to the Hushmail as >an attachment with no way to open it. Is there something I'm doing >wrong? Is it something Hushmail is doing wrong? Does anyone have any >idea what it could possibly be, because using the Hushmail thing >online is extremely slow for a dial-up user and a PITA when I have >Kmail and gpg on my own >system. Thanks for any ideas to try to fix >this dilemma. > > JB Unless I'm misunderstanding you, your friend is the one with the hush account and you are trying to send to him? For hushmail users to receive encrypted or signed emails from non- hush users the non-hush users must upload their public key to the hush key server. This cannot be done from ldap://keys.hush.com, this is only to retreive keys. You must upload your public key at https://www.hushtools.com and click on the "Key Management" button and then on your left you'll see a link to "Upload a public key". Once your key is uploaded, all hush users can recieve your encrypted emails. For hush users, the hush key server is kinda like one big keyring for everyone. This doc from hush.com about how to use GPG/PGP with hush would be something to look at. http://makeashorterlink.com/?Z131166CB *** DM Public PGP Key: http://makeashorterlink.com/?A25E3159A -BEGIN PGP SIGNATURE- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.4 wkYEARECAAYFAkMjWcQACgkQ7+E2aQJ0LJ88/wCgh10l4jPEUp0uWkdBLBCi6qZbc0AA nAisU6W3e8hdESQi6oPmJa/3B6j1 =yIM9 -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: This IS about GD - a proposal on dealing with the problem
Pawel Shajdo wrote: > On Fri, Sep 09, 2005 at 02:00:38PM -0600, Kurt Fitzner wrote: > >>Ok, that other thread isn't about the GD, but this one is. I think this >>is something that should be discussed and a consensus reached. >> >>Are they a good/bad signer? >>Does something need to be done about them? >>Should they be approached by the community? >> >>... >> >>Signature cleaning and/or filtering is not the answer, just as spam >>filtering is not the ultimate answer. The cost to the IT industry of >>spam filtering is enormous. Let's deal with the problem at the source. >> >> Kurt. > > I think this is public more keyservers design problem than GD. Keyserver > should accept new signatures only from key owner. > That poses a significant problem when someone loses their key, but has a trusted revoker set... there are other situations where someone other than the key's owner would want to upload the key, but I can't think of them at the moment. -- Alphax | /"\ Encrypted Email Preferred | \ / ASCII Ribbon Campaign OpenPGP key ID: 0xF874C613 |X Against HTML email & vCards http://tinyurl.com/cc9up| / \ ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: This IS about GD - a proposal on dealing with the problem
Pawel Shajdo wrote: > > I think this is public more keyservers design problem than GD. Keyserver > should accept new signatures only from key owner. > Hm, maybe to define a "key upload format" which must be signed with the uploaded key itself (analogon of PKCS#10)? Of course, the public key itself should have some flag set to "signed upload only" so that the server doesn't accept it without the corresponding signature. signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
