Re: This IS about GD - a proposal on dealing with the problem
Zeljko Vrba wrote: > Pawel Shajdo wrote: > >>I think this is public more keyservers design problem than GD. Keyserver >>should accept new signatures only from key owner. >> > > > Hm, maybe to define a "key upload format" which must be signed with the > uploaded key itself (analogon of PKCS#10)? Of course, the public key > itself should have some flag set to "signed upload only" so that the > server doesn't accept it without the corresponding signature. > However, the keyserver would then have to verify the signature of the uploading key... how much of an extra burden would this be? -- Alphax | /"\ Encrypted Email Preferred | \ / ASCII Ribbon Campaign OpenPGP key ID: 0xF874C613 |X Against HTML email & vCards http://tinyurl.com/cc9up| / \ ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: This IS about GD - a proposal on dealing with the problem
Alphax wrote: > > However, the keyserver would then have to verify the signature of the > uploading key... how much of an extra burden would this be? > In what way "extra burden"? Computationally (CPU), programming complexity, or...? Computationally - it would be done only oncem on key upload. It is not really an expensive operation - the same as verifying a GPG signature. And I think that modern servers have much spare CPU time.. signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: This IS about GD - a proposal on dealing with the problem
Zeljko Vrba wrote: > Alphax wrote: > >>However, the keyserver would then have to verify the signature of the >>uploading key... how much of an extra burden would this be? >> > > In what way "extra burden"? Computationally (CPU), programming > complexity, or...? > > Computationally - it would be done only oncem on key upload. It is not > really an expensive operation - the same as verifying a GPG signature. > And I think that modern servers have much spare CPU time.. > I don't suppose any keyserver operators could tell us the specs on their machines... -- Alphax | /"\ Encrypted Email Preferred | \ / ASCII Ribbon Campaign OpenPGP key ID: 0xF874C613 |X Against HTML email & vCards http://tinyurl.com/cc9up| / \ ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: This IS about GD - a proposal on dealing with the problem
Alphax wrote: > > I don't suppose any keyserver operators could tell us the specs on their > machines... > IMO, more important factor is the number of uploaded keys per hour or day. If a keyserver receives e.g. 100 keys per day, this work could be easily handled by 486/66MHz. signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: This IS about GD - a proposal on dealing with the problem
Doug Barton wrote: > Bob Henson wrote: > >> Put it the other way round - what useful purpose do they serve? I haven't >> seen one yet, ergo they are junk. > > Um, until you actually get appointed ruler of the universe, you don't get to > make that decision for everyone else. :) Seriously though, I interact with a > lot of people that get their keys from the GD (their choice, and I'm not in > a position to argue), so I need to have my key there, and it needs to be > signed by the GD system. You can argue whether what pgp.com is doing is > wrong all day long, but it is what it is, and therefore I need to be > compatible with it. Thus, I really like the clean options, and have the > following in my gpg.conf which works splendidly: > > import-options import-clean-sigs import-clean-uids > export-options export-clean-sigs export-clean-uids > keyserver-options import-clean-sigs import-clean-uids export-clean-sigs > export-clean-uids > >> It may do with the nightly builds, but it doesn't yet work on the release >> version of GPG. > > I don't know what you mean about "release version of GPG," but the above > works fine with 1.4.2 on both Windows and FreeBSD. A P.S. to the last message. I added the above lines and tried again, and neither refreshing a key from the keyserver, uploading a key, nor downloading a new key cause the "clean" to run. I must be doing something silly in the set-up. I created a new file in the same directory as gpg.exe (OK?) called gpg.conf (OK?) and added to it *exactly* your lines above (not line wrapped in the case of the third line. I exited Thunderbird, restarted, and tried the keyserver procedures above. No joy. Does that sound correct? Maybe it doesn't work via Enigmail? I'm using GPG 1.4.2 via Enigmail 0.92.0.0. I checked the doc file I got with GPG 1.4.2 and whilst it lists the import/export-options "clean" command there is no equivalent key-server-option "clean" command listed - this may just be an oversight in the doc file, of course. I'll away and try exporting my keyring to see what happens. Regards, Bob signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: This IS about GD - a proposal on dealing with the problem
Doug Barton wrote: >> Bob Henson wrote: >> > Put it the other way round - what useful purpose do they serve? I haven't seen one yet, ergo they are junk. > >> >> Um, until you actually get appointed ruler of the universe, you don't get to >> make that decision for everyone else. :) Seriously though, I interact with a >> lot of people that get their keys from the GD (their choice, and I'm not in >> a position to argue), so I need to have my key there, and it needs to be >> signed by the GD system. You can argue whether what pgp.com is doing is >> wrong all day long, but it is what it is, and therefore I need to be >> compatible with it. Thus, I really like the clean options, and have the >> following in my gpg.conf which works splendidly: >> >> import-options import-clean-sigs import-clean-uids >> export-options export-clean-sigs export-clean-uids >> keyserver-options import-clean-sigs import-clean-uids export-clean-sigs >> export-clean-uids >> > It may do with the nightly builds, but it doesn't yet work on the release version of GPG. > >> >> I don't know what you mean about "release version of GPG," but the above >> works fine with 1.4.2 on both Windows and FreeBSD. Hmm, I did mean 1.4.2 - so I'd better try again then, Doug. I tried adding the keyserver options but it didn't do anything here. Maybe you need to have the import export options set too, I tried them first, and then removed them before adding the keyserver options, since I only need the latter. Anyway, I'll set them all and try again. Regards, Bob signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: This IS about GD - a proposal on dealing with the problem
Bob Henson wrote: > > A P.S. to the last message. I added the above lines and tried again, > > and neither refreshing a key from the keyserver, uploading a key, > nor downloading a new key cause the "clean" to run. > > I must be doing something silly in the set-up. I created a new file > in the same directory as gpg.exe (OK?) called gpg.conf (OK?) and > added to it *exactly* your lines above (not line wrapped in the case > of the third line. > I exited Thunderbird, restarted, and tried the keyserver procedures > above. No joy. Does that sound correct? > > Maybe it doesn't work via Enigmail? I'm using GPG 1.4.2 via Enigmail > 0.92.0.0. I checked the doc file I got with GPG 1.4.2 and whilst it > lists the import/export-options "clean" command there is no > equivalent key-server-option "clean" command listed - this may just > be an oversight in > the doc file, of course. > > I'll away and try exporting my keyring to see what happens. > You need to put gpg.conf in the same directory as you keyrings (eg. C:\Documents and Settings\Bob\Application Data\GnuPG under Windows 2000 and XP). -- Alphax | /"\ Encrypted Email Preferred | \ / ASCII Ribbon Campaign OpenPGP key ID: 0xF874C613 |X Against HTML email & vCards http://tinyurl.com/cc9up| / \ ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Hushmail troubles...again
>Message: 1 >Date: Sat, 10 Sep 2005 01:27:02 -0500 >From: John B <[EMAIL PROTECTED]> >Subject: Hushmail troubles...again >To: gnupg-users@gnupg.org >Message-ID: <[EMAIL PROTECTED]> >Content-Type: text/plain; charset="us-ascii" > I've tried over the past week to send encrypted e-mails to a >friend with a >Hushmail address from Kmail on SuSE 9.3 . > The problem is, it always ends up at the Hushmail place as an >attachment and >no way to open it or read it. I even made a Hushmail account for >myself and >tried it and it did the same thing for me...it came to the >Hushmail as an >attachment with no way to open it. > Is there something I'm doing wrong? Is it something Hushmail is >doing wrong? >Does anyone have any idea what it could possibly be, it might be that your e-mail program is sending the message as pgp/mime, which hushmail receives as an attachment try sending the message as encrypted inline text, encrypt your message first, copy it into the e-mail program, and send as is i have been doing this with hushmail since it first came out, without problems, (now if i could only figure out how to get hushmail to stop mangling clearsigned sigs ... :-) ) vedaal Concerned about your privacy? Follow this link to get secure FREE email: http://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger http://www.hushmail.com/services-messenger?l=434 Promote security and make money with the Hushmail Affiliate Program: http://www.hushmail.com/about-affiliate?l=427 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [Sks-devel] stripping GD sigs (was: Re: clean sigs)
David Shaw wrote: >Known by *you*. I rather think the GD is a good signer, for what it >is. I think both of you need to make a difference between a bad signer that signs keys without doing sufficient checking, and a signer that spams signatures in quantities that could become a DOS attack. The GD falls in the second category, not in the first. -- ir. J.C.A. Wevers // Physics and science fiction site: [EMAIL PROTECTED] // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: This IS about GD - a proposal on dealing with the problem
On Sun, Sep 11, 2005 at 01:33:45PM +0930, Alphax wrote: > > On Fri, Sep 09, 2005 at 02:00:38PM -0600, Kurt Fitzner wrote: > > That poses a significant problem when someone loses their key, but has a > trusted revoker set... there are other situations where someone other I mean only key signatures, not revokations > than the key's owner would want to upload the key, but I can't think of what if key's owner don't want it? > them at the moment. > -- Pawel I. Shajdo ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [Sks-devel] stripping GD sigs (was: Re: clean sigs) / Feature Request
MUS1876 wrote:
I have
friends who currently don't want to use PGP because they fear that
>>their
keys will be uploaded to a keyserver, and then they will be spammed
forever more.
I totally agree what friends of Alphax say.
Wouldn't it be cute to have a sepcial option to flag both keys and
subkeys as non exportable (uploadable) to keyservers? Speaking of
> myself
at current, I also don't want to see any of my keys posted to a
keyserver by someone else, be it on intention or not.
The time is ripe for a GPG variant: ("GPG-lean" ?): a public key
encryption utility with no built-in e-mail ties and no attempt
whatsoever to incorporate the solution for the authentication
problem. (For the majority of us, fingerprint-exchange-by-voice
is more perfectly adequate).
CD Rok
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: This IS about GD - a proposal on dealing with the problem
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Bob Henson wrote: > A P.S. to the last message. I added the above lines and tried again, and > neither refreshing a key from the keyserver, uploading a key, nor > downloading a new key cause the "clean" to run. > > I must be doing something silly in the set-up. I created a new file in the > same directory as gpg.exe (OK?) called gpg.conf (OK?) and added to it > *exactly* your lines above (not line wrapped in the case of the third line. > I exited Thunderbird, restarted, and tried the keyserver procedures above. > No joy. Does that sound correct? gpg.conf must be in your GnuPG home directory. On Windows systems, this is equivalent to %APPDATA%\GnuPG or, fully expanded, C:\Documents and Settings\User Name\Application Data\GnuPG > Maybe it doesn't work via Enigmail? I'm using GPG 1.4.2 via Enigmail > 0.92.0.0. I checked the doc file I got with GPG 1.4.2 and whilst it lists > the import/export-options "clean" command there is no equivalent > key-server-option "clean" command listed - this may just be an oversight in > the doc file, of course. - From the gpg.man file that shiped with 1.4.2: --keyserver-options parameters This is a space or comma delimited string that gives options for the keyserver. Options can be prepended with a `no-' to give the opposite meaning. Valid import-options or export- options may be used here as well to apply to importing (--recv-key) or exporting (--send-key) a key from a key- server. While not all options are available for all key- server types, some common options are: "Valid import-options or export-options..." -- it's in the documentation. - -- John P. Clizbe Inet: JPClizbe(a)comcast DOT nyet Golden Bear Networks PGP/GPG KeyID: 0x608D2A10 "Be who you are and say what you feel because those who mind don't matter and those who matter don't mind." - Dr Seuss, "Oh the Places You'll Go" -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3-cvs-2005-09-04 (Windows 2000 SP4) Comment: When cryptography is outlawed, b25seSBvdXRsYXdzIHdpbGwgdXNlIG Comment: Be part of the £33t ECHELON -- Use Strong Encryption. Comment: It's YOUR right - for the time being. Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDJLi5HQSsSmCNKhARAqFYAKC/BRg3a57KIjATxcrW+U2Jw9+pNwCfXAB1 iR5KIh63duS1bJZ8/CHFvUM= =iZ6p -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [Sks-devel] stripping GD sigs (was: Re: clean sigs)
David Shaw wrote: >I have sympathy for that argument, so wouldn't it be good to trace >down where the sigs are entering the keyserver net, and ask whoever is >doing it to stop? It seems like the obvious first step. Assuming this is possible at all. I don't know exctly what keyservers log, but I'd assume that making the links GD sig upload -> IP address -> email address is not trivial. -- ir. J.C.A. Wevers // Physics and science fiction site: [EMAIL PROTECTED] // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: This IS about GD - a proposal on dealing with the problem
Kurt Fitzner wrote: >Signature cleaning and/or filtering is not the answer, just as spam >filtering is not the ultimate answer. I prefer spam filtering it over laws that compromise privacy as a side effect, but that's another discussion. However, your comparison doesn't work. Email spammers are many, use false sender addresses and are of bad will, making filtering difficult. GD is one, doesn't try to hide its identity so filtering is easy. -- ir. J.C.A. Wevers // Physics and science fiction site: [EMAIL PROTECTED] // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [Sks-devel] stripping GD sigs (was: Re: clean sigs)
On Sun, Sep 11, 2005 at 09:27:54PM +0200, Johan Wevers wrote: > David Shaw wrote: > > >I have sympathy for that argument, so wouldn't it be good to trace > >down where the sigs are entering the keyserver net, and ask whoever is > >doing it to stop? It seems like the obvious first step. > > Assuming this is possible at all. I don't know exctly what keyservers log, > but I'd assume that making the links GD sig upload -> IP address -> email > address is not trivial. It wasn't an idle suggestion. You can assume that I do, in fact, know that this is possible, or I wouldn't have suggested it. Why on earth an email address is relevant here I have no idea. You don't need anything more than the IP address. I made the suggestion as a challenge. The trace is not actually going to happen, as it is far, far more entertaining to complain and moan about the GD than it would be to see who is bridging the signatures. David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [Sks-devel] stripping GD sigs (was: Re: clean sigs)
On Fri, Sep 09, 2005 at 03:00:31PM +0200, Johan Wevers wrote: > David Shaw wrote: > > >Known by *you*. I rather think the GD is a good signer, for what it > >is. > > I think both of you need to make a difference between a bad signer that > signs keys without doing sufficient checking, and a signer that spams > signatures in quantities that could become a DOS attack. The GD falls > in the second category, not in the first. No, actually it doesn't. The GD doesn't distribute signatures in bulk. In fact, you have to fetch each new signature manually. David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: This IS about GD - a proposal on dealing with the problem
On Fri, Sep 09, 2005 at 07:58:57PM -0600, Kurt Fitzner wrote: > > It might be useful to tone down the rage here. PGP isn't producing > > toxic waste. They're producing small packets of binary data. Nobody > > is actually being poisoned and dying here. Extra signatures on keys > > do not actually harm anyone, despite all the hysterics that they seem > > to cause. At best, this is an aesthetic problem. > > The keyservers are the individuals being poisoned. It's a heavy metal > poison. In general, heavy metal poisons are dangerous because they > accumulate in the tissues of the affected individual and aren't > naturally cleaned and purged. Also, like the poisoning of many heavy > metals, this onem, if left to accumulate, will cause brain dysfunction > in the infected individuals. There are so many levels of wrong here that I am actually struck utterly silent. Congratulations. I'm leaving the thread. I cannot answer without somehow falsely implying that there is any signal in the noise. David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: clean sigs
On Fri, Sep 09, 2005 at 09:59:53AM -0500, John Clizbe wrote: > David Shaw wrote: > > There is perhaps an argument to be made for a "super clean" that does > > clean and also removes any signature where the signing key is not > > present (in fact, an early version of clean did that), but that's a > > different thing than clean. > > Perhaps --scrub ? --sanitize ? --disinfect ? I rather like "minimize", but this isn't really a minimal key (as it has signatures other than selfsigs). David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [Sks-devel] stripping GD sigs (was: Re: clean sigs)
David Shaw wrote: > On Sun, Sep 11, 2005 at 09:27:54PM +0200, Johan Wevers wrote: > >>David Shaw wrote: >> >> >>>I have sympathy for that argument, so wouldn't it be good to trace >>>down where the sigs are entering the keyserver net, and ask whoever is >>>doing it to stop? It seems like the obvious first step. >> >>Assuming this is possible at all. I don't know exctly what keyservers log, >>but I'd assume that making the links GD sig upload -> IP address -> email >>address is not trivial. > > > It wasn't an idle suggestion. You can assume that I do, in fact, know > that this is possible, or I wouldn't have suggested it. Why on earth > an email address is relevant here I have no idea. You don't need > anything more than the IP address. > > I made the suggestion as a challenge. The trace is not actually going > to happen, as it is far, far more entertaining to complain and moan > about the GD than it would be to see who is bridging the signatures. > It has been suggested that automatically retrieving keys from keyservers can expose your IP to the keyserver manager, as all they have to do is generate a new key, send it to you, and wait until someone downloads that key... It seems likely that sigs from the GD are entering via one of two ways: firstly, individuals putting their keys on the global directory, and then sending their keys with GD sigs out to SKS keyservers; secondly, someone doing a 2-way synchronisation of their entire keyring with both the GD and the SKS network. -- Alphax | /"\ Encrypted Email Preferred | \ / ASCII Ribbon Campaign OpenPGP key ID: 0xF874C613 |X Against HTML email & vCards http://tinyurl.com/cc9up| / \ ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [Sks-devel] stripping GD sigs (was: Re: clean sigs) / Feature Request
cdr wrote:
> MUS1876 wrote:
>> Alphax wrote:
>>> I have friends who currently don't want to use PGP because they
>>> fear that their keys will be uploaded to a keyserver, and then
>>> they will be spammed forever more.
>>
>>
>> I totally agree what friends of Alphax say.
>>
>> Wouldn't it be cute to have a sepcial option to flag both keys and
>> subkeys as non exportable (uploadable) to keyservers? Speaking of
>> myself at current, I also don't want to see any of my keys posted
>> to a keyserver by someone else, be it on intention or not.
>>
> The time is ripe for a GPG variant: ("GPG-lean" ?): a public key
> encryption utility with no built-in e-mail ties and no attempt
> whatsoever to incorporate the solution for the authentication
> problem. (For the majority of us, fingerprint-exchange-by-voice is
> more perfectly adequate).
>
Ciphersaber?
--
Alphax | /"\
Encrypted Email Preferred | \ / ASCII Ribbon Campaign
OpenPGP key ID: 0xF874C613 |X Against HTML email & vCards
http://tinyurl.com/cc9up| / \
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
