Re: OpenLDAP schema to store OpenPGP keys?
On Tue, 21 Feb 2006, David Shaw wrote: > > If GnuPG could also store secret keys (btw, can it? have never checked) > > It's theoretically possible, but no keyserver works that way. Probably not for HTTP keyservers, but for LDAP offering strong authentication and TLS/SSL? A remotely accessible, single storage of secret keys could be quite useful for some people. You wouldn't be required to carry the secret keyring with you on usbsticks or else anymore. When I think about it, probably a better use for LDAP capabilities than to store public keys... Perhaps something to add in the future? (feature request ;-) > > on LDAP, this might be different story. However, at least for now, > > being as secure as pam_ldap _is_ sufficient, IMHO. > > Okay, I buy this. I'll add binddn and bindpw to gpgkeys_ldap for > the next release. Next release of 1.4.x or 1.9.x? Regards, Walter ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Necessity of GPG when using SSL
On Tue, Feb 21, 2006 at 07:52:26AM -0500, Henry Hertz Hobbit wrote: > Johan Wevers wrote: > > >Henry Hertz Hobbit wrote: > > > >>Usually, if you are using a web interface to access your email, only the > >>initial authentication is done via SSL. After that if your URL address > >>shifts to using an "http://"; rather than the "https://"; you made your > >>initial connection with means that your communication just shifted from > >>SSL (weak encryption) to NO encryption. That is the norm. > > > >Strange, I've never seen that happen. All webmail from Dutch providers > >that I've accessed (my own and some for people with problems where I > >accessed the mail to dump mails with large attachments that took too > >long to download) were https all the way. > > Thanks for the information. The reason I said what I said is because > Netscape, Yahoo, gmail (the email account the original person was > posting from) almost all do a shift from https:// to http:// after the > connection is made. The only ones I have seen that continue using the > SSL are small ISPs and only one of the local universities here. But then > I have only seen three of the universities, and actually even the one > that was using SSL all the time shifted after I showed an acquaintance > how to make the connection that way and he spread the information to > everybody he knew who spread it to Once that was done, even that > school shifted to doing it with SSL for connection only. I realize that > SSL doesn't have the overhead of more powerful encryption like that > provided by OpenPGP, but it is still enough of an overhead that once > the load of SSL all the time becomes noticeable to the ISP (or whoever), > they feel that the authentication alone should be using SSL and they > make the shift to using plain the rest of the time. In other words, > consider yourself lucky IF you are getting SSL all the time if you > need it all the time. On the other hand if you don't need SSL all the > time there MAY be the possibility those long download times are partly > being caused by the overhead of SSL encryption taking place on the > server. [] SSL/TLS is not ,,much more powerful'' encryption, it is a connection level encryption. As for service providers using SSL to protect only the most sensitive data - computationally SSL on multiple connections is ,,heavy'' and supporting it continuously is expensive (specialized ,,SSL Accelerators'' cost tens of thousands of dollars). And there is really no point in ecryptiong the whole access since the contents, the emails usually travel the rest of the net unencrypted. Alex signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenLDAP schema to store OpenPGP keys?
Walter Haidinger wrote: > On Tue, 21 Feb 2006, David Shaw wrote: > > >>>If GnuPG could also store secret keys (btw, can it? have never checked) >> >>It's theoretically possible, but no keyserver works that way. > > > Probably not for HTTP keyservers, but for LDAP offering strong > authentication and TLS/SSL? > > A remotely accessible, single storage of secret keys could be quite > useful for some people. You wouldn't be required to carry the secret > keyring with you on usbsticks or else anymore. When I think about it, > probably a better use for LDAP capabilities than to store public keys... > > Perhaps something to add in the future? > (feature request ;-) > Isn't this what Kerberos was designed for? -- Alphax | /"\ Encrypted Email Preferred | \ / ASCII Ribbon Campaign OpenPGP key ID: 0xF874C613 |X Against HTML email & vCards http://tinyurl.com/cc9up| / \ signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenLDAP schema to store OpenPGP keys?
Alphax wrote: > Isn't this what Kerberos was designed for? No, Kerberos is only an authentication protocol. I'm talking about _storing_ secret keyrings on LDAP. What if you access your email by IMAP only? Each MUA with GnuPG support (e.g. Thunderbird with Enigmail plugin) could then use the public _and_ secret PGP keys stored on the LDAP server, eliminating the need for a local keystore. Walter ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: file encryption and integrity check
On Wed, Feb 22, 2006 at 05:49:40PM +1030, Alphax wrote: > Francesco Turco wrote: > > > i have disabled compression becouse files i have to encrypt are already > > compressed, and compression takes much more time then encryption. > > > > do you think it is a good choice? > > > > IIRC GnuPG will detect if data is compressed before it tries to compress > it; if so, it won't try to. This is correct. Of course, it's possible that GnuPG doesn't recognize a particular kind of compression. If I recall, it looks for bzip, gzip, and zip. David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Necessity of GPG when using SSL
On Feb 22, 2006, at 6:22 AM, Janusz A. Urbanowicz wrote: And there is really no point in ecryptiong the whole access since the contents, the emails usually travel the rest of the net unencrypted. But wouldn't it be much easier for an attacker to intercept all of your e-mail by listening in on an unencrypted webmail session than by trying to intercept each e-mail individually somewhere else? I think there certainly is a benefit to having SSL-encrypted webmail for exactly that reason: less determined attackers will not have access to the plaintext of the messages. (Although granted, it would be kind of foolish to depend upon SSL webmail if the messages are sent in plain text.) -- Benjamin D. Esham [EMAIL PROTECTED] | http://bdesham.net | AIM: bdesham128 Wikipedia, the Free Encyclopedia • http://en.wikipedia.org PGP.sig Description: This is a digitally signed message part ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Error handling OpenPGP card with a cyberjack pinpad
Hello! I'm unable the to change the PIN, generate a key,... on my OpenPGP card with a cyberjack pinpad smartcard reader (with 1.4.2.1 and 1.9.20). The error messages are: [EMAIL PROTECTED]:~$ gpg2 --card-status gpg: NOTE: THIS IS A DEVELOPMENT VERSION! gpg: It is only intended for test purposes and should NOT be gpg: used in a production environment or with production keys! gpg: WARNING: This version of gpg is not very matured and gpg: WARNING: only intended for testing. Please keep using gpg: WARNING: gpg 1.2.x, 1.3.x or 1.4.x for OpenPGP gpg: DBG: connection to agent established scdaemon[20008]: NOTE: this is a development version! scdaemon[22094]: reading public key failed: Missing item in object scdaemon[22094]: reading public key failed: Missing item in object scdaemon[22094]: reading public key failed: Missing item in object gpg-agent[20007]: card has S/N: D276000124010101000107FD Application ID ...: D276000124010101000107FD Version ..: 1.1 Manufacturer .: PPC Card Systems Serial number : 07FD Name of cardholder: [not set] Language prefs ...: de Sex ..: unspecified URL of public key : [not set] Login data ...: [not set] Signature PIN : forced Max. PIN lengths .: 254 254 254 PIN retry counter : 3 3 3 Signature counter : 0 Signature key : [none] Encryption key: [none] Authentication key: [none] General key info..: [none] [EMAIL PROTECTED]:~$ scdaemon[20008]: ct_activate_card(0): activation failed: okay scdaemon[20008]: DBG: received data: 62 01 scdaemon[20008]: scdaemon (GnuPG) 1.9.20 stopped When using the card-edit command: [EMAIL PROTECTED]:~$ gpg2 --card-edit [output cut] gpg: DBG: connection to agent established scdaemon[25518]: NOTE: this is a development version! scdaemon[25518]: reading public key failed: Missing item in object scdaemon[25518]: reading public key failed: Missing item in object scdaemon[25518]: reading public key failed: Missing item in object [output cut] Command> scdaemon[25518]: updating status of slot 0 to 0x0007 scdaemon[25518]: client pid is 25517, sending signal 12 scdaemon[25518]: scdaemon (GnuPG) 1.9.20 stopped or when trying to change the pin: [EMAIL PROTECTED]:~$ gpg --change-pin gpg: OpenPGP card no. D276000124010101000107FD detected 1 - change PIN 2 - unblock PIN 3 - change Admin PIN Q - quit Your selection? 1 gpg: sending command `SCD PASSWD' to agent failed: ec=6.110 Error changing the PIN: general error 1 - change PIN 2 - unblock PIN 3 - change Admin PIN Q - quit Your selection? -- Any Ideas? Peter M. -- My scdaemon.conf: disable-ccid ctapi-driver libctapi-cyberjack.so reader-port 1 -- I'm using a cyberjack pinpad (usb) (Product ID 0x300) The CT-API driver (from reiner-sct) is version 2.0.9. Program versions are: Slackware-10.2 with kernel-2.6.14.7 gnupg-1.4.2.1 gnupg-1.9.20 libgpg-error-1.0 libksba-0.9.13 pth-2.0.4 pinentry-0.7.2 libassuan-0.6.10 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Error handling OpenPGP card with a cyberjack pinpad
Hello! I'm unable the to change the PIN, generate a key,... on my OpenPGP card with a cyberjack pinpad smartcard reader (with 1.4.2.1 and 1.9.20). The error messages are: [EMAIL PROTECTED]:~$ gpg2 --card-status gpg: NOTE: THIS IS A DEVELOPMENT VERSION! gpg: It is only intended for test purposes and should NOT be gpg: used in a production environment or with production keys! gpg: WARNING: This version of gpg is not very matured and gpg: WARNING: only intended for testing. Please keep using gpg: WARNING: gpg 1.2.x, 1.3.x or 1.4.x for OpenPGP gpg: DBG: connection to agent established scdaemon[20008]: NOTE: this is a development version! scdaemon[22094]: reading public key failed: Missing item in object scdaemon[22094]: reading public key failed: Missing item in object scdaemon[22094]: reading public key failed: Missing item in object gpg-agent[20007]: card has S/N: D276000124010101000107FD Application ID ...: D276000124010101000107FD Version ..: 1.1 Manufacturer .: PPC Card Systems Serial number : 07FD Name of cardholder: [not set] Language prefs ...: de Sex ..: unspecified URL of public key : [not set] Login data ...: [not set] Signature PIN : forced Max. PIN lengths .: 254 254 254 PIN retry counter : 3 3 3 Signature counter : 0 Signature key : [none] Encryption key: [none] Authentication key: [none] General key info..: [none] [EMAIL PROTECTED]:~$ scdaemon[20008]: ct_activate_card(0): activation failed: okay scdaemon[20008]: DBG: received data: 62 01 scdaemon[20008]: scdaemon (GnuPG) 1.9.20 stopped When using the card-edit command: [EMAIL PROTECTED]:~$ gpg2 --card-edit [output cut] gpg: DBG: connection to agent established scdaemon[25518]: NOTE: this is a development version! scdaemon[25518]: reading public key failed: Missing item in object scdaemon[25518]: reading public key failed: Missing item in object scdaemon[25518]: reading public key failed: Missing item in object [output cut] Command> scdaemon[25518]: updating status of slot 0 to 0x0007 scdaemon[25518]: client pid is 25517, sending signal 12 scdaemon[25518]: scdaemon (GnuPG) 1.9.20 stopped or when trying to change the pin: [EMAIL PROTECTED]:~$ gpg --change-pin gpg: OpenPGP card no. D276000124010101000107FD detected 1 - change PIN 2 - unblock PIN 3 - change Admin PIN Q - quit Your selection? 1 gpg: sending command `SCD PASSWD' to agent failed: ec=6.110 Error changing the PIN: general error 1 - change PIN 2 - unblock PIN 3 - change Admin PIN Q - quit Your selection? -- Any Ideas? Peter M. -- My scdaemon.conf: disable-ccid ctapi-driver libctapi-cyberjack.so reader-port 1 -- I'm using a cyberjack pinpad (usb) (Product ID 0x300) The CT-API driver (from reiner-sct) is version 2.0.9. Program versions are: Slackware-10.2 with kernel-2.6.14.7 gnupg-1.4.2.1 gnupg-1.9.20 libgpg-error-1.0 libksba-0.9.13 pth-2.0.4 pinentry-0.7.2 libassuan-0.6.10 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Error handling OpenPGP card with a cyberjack pinpad
Hello again! After reading the thread "OpenPGP card not available: Assuan server fault" my questions to the error messages generatet by gpg2 are obsolete. But when using gnupg-1.4.2.1 I'm still not able to do anything with the OpenPGP card. When I'm trying to e.g. change the PIN via gpg --change-pin and typing 1 or 3 (is't a new unused card), the pinentry-qt dialog pops up and after typing in the PIN the following error occurs: gpg: sending command `SCD PASSWD' to agent failed: ec=4.99 \ Error changing the PIN: general error The same with generating a key: gpg: sending command `SCD SETATTR' to agent failed: ec=6.110 or listing all available data: pgp: sending command `SCD LEARN' to agent failed: ec=6.110 --- Peter M. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
GpgME: Compile under MinGW
Hi, I downloaded the latest GpgME version and called configure. The last lines it outputes are: configure: WARNING: *** *** ttyname() is not thread-safe and ttyname_r() does not exist *** checking whether we are using the GNU C Library 2.1 or newer... no checking for getenv_r... no configure: WARNING: *** *** getenv() is not thread-safe and getenv_r() does not exist *** checking for timegm... no configure: WARNING: *** *** timegm() not available - a non-thread-safe kludge will be used *** and the TZ variable might be changed at runtime. *** checking for gpg-error-config... no checking for GPG Error - version >= 0.5... no configure: error: libgpg-error was not found What do i need to do? Thanks for help. --esskar ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Necessity of GPG when using SSL
Hello, I switched few years ago to fastmail.fm for several reasons : - https + advanced protections when accessing from public terminal (including url pseudo-scrambling) - IMAP with SSL - Text and only text for the webmail interface (no pop-up ad and no graphics), just plain speed - WebDAV (I don't use it) - IMAP access on non-standard port like 80 and 443 so you can go through some difficult firewalls I usually don't promote commercial products but as they offer a free plan as well I thought it might help some people. Dany PS: before writting this email I quickly started Ethereal and used the webmail in order to check that the connection was SSL protected even after login. Henry Hertz Hobbit a écrit : >Johan Wevers wrote: > > > >>Henry Hertz Hobbit wrote: >> >> >> >>>Usually, if you are using a web interface to access your email, only the >>>initial authentication is done via SSL. After that if your URL address >>>shifts to using an "http://"; rather than the "https://"; you made your >>>initial connection with means that your communication just shifted from >>>SSL (weak encryption) to NO encryption. That is the norm. >>> >>> >>Strange, I've never seen that happen. All webmail from Dutch providers >>that I've accessed (my own and some for people with problems where I >>accessed the mail to dump mails with large attachments that took too >>long to download) were https all the way. >> >> > >Thanks for the information. The reason I said what I said is because >Netscape, Yahoo, gmail (the email account the original person was >posting from) almost all do a shift from https:// to http:// after the >connection is made. The only ones I have seen that continue using the >SSL are small ISPs and only one of the local universities here. But then >I have only seen three of the universities, and actually even the one >that was using SSL all the time shifted after I showed an acquaintance >how to make the connection that way and he spread the information to >everybody he knew who spread it to Once that was done, even that >school shifted to doing it with SSL for connection only. I realize that >SSL doesn't have the overhead of more powerful encryption like that >provided by OpenPGP, but it is still enough of an overhead that once >the load of SSL all the time becomes noticeable to the ISP (or whoever), >they feel that the authentication alone should be using SSL and they >make the shift to using plain the rest of the time. In other words, >consider yourself lucky IF you are getting SSL all the time if you >need it all the time. On the other hand if you don't need SSL all the >time there MAY be the possibility those long download times are partly >being caused by the overhead of SSL encryption taking place on the >server. > >Do you need encryption all the time or not? My advice still remains the >same - OpenPGP is still the best choice for the scenario presented, IF I >indeed understood all the parameters. It puts the control of when to use >it in your hands. It just depends on what is being transported. I could >care less whether all that spam is encrypted or not. I also don't want all >the redirected email on my comcast account (also spam, but with the worms >removed) encrypted during transmission. The faster I get rid of it the >better. Not having the transmission of it helps me get rid of it as fast >as possible! > >HHH > > >__ >Switch to Netscape Internet Service. >As low as $9.95 a month -- Sign up today at http://isp.netscape.com/register > >Netscape. Just the Net You Need. > >New! Netscape Toolbar for Internet Explorer >Search from anywhere on the Web and block those annoying pop-ups. >Download now at http://channels.netscape.com/ns/search/install.jsp > >___ >Gnupg-users mailing list >Gnupg-users@gnupg.org >http://lists.gnupg.org/mailman/listinfo/gnupg-users > > ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
GPGOL - Error registering DLL
Hi,
I'm trying to install GPGOL for use with Outlook 2003 on Windows XP
SP2. I've followed the instructions and am attempting to register the
gpgol.dll file - getting the error message
LoadLibrary("gpgol.dll")failed
GetLastError returns 0x007e
There's probably a few "non-standard" components here, but nothing I
can see that would cause a problem.
I've downloaded the zip from the ftp site and put the other DLLs in
the system directory.
Any ideas?
TIA,
--
Paul Squires
[EMAIL PROTECTED] | OpenPGP Key ID: 0x423003E0
MSN: [EMAIL PROTECTED] | ICQ: 318471677
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenLDAP schema to store OpenPGP keys?
On Wed, Feb 22, 2006 at 11:02:10AM +0100, Walter Haidinger wrote: > On Tue, 21 Feb 2006, David Shaw wrote: > > > > If GnuPG could also store secret keys (btw, can it? have never checked) > > > > It's theoretically possible, but no keyserver works that way. > > Probably not for HTTP keyservers, but for LDAP offering strong > authentication and TLS/SSL? > > A remotely accessible, single storage of secret keys could be quite > useful for some people. You wouldn't be required to carry the secret > keyring with you on usbsticks or else anymore. When I think about it, > probably a better use for LDAP capabilities than to store public keys... It's a bit more complex than that - what LDAP (and any keyserver) does is provide the key itself. That key is then imported and lives locally from then on until it is deleted. There would need to be cleanup after use or keys would be left behind. Are you looking for a remote keyring? That's slightly different than a keyserver, or at least the thing that GnuPG calls a keyserver. > > > on LDAP, this might be different story. However, at least for now, > > > being as secure as pam_ldap _is_ sufficient, IMHO. > > > > Okay, I buy this. I'll add binddn and bindpw to gpgkeys_ldap for > > the next release. > > Next release of 1.4.x or 1.9.x? 1.4.3. I've added the new feature, so you could probably grab the gpgkeys_ldap.c from svn and use it in your 1.4.2 if you like. There aren't significant changes to the keyserver protocol between the two. Just replace the existing gpgkeys_ldap.c with the new one and recompile. This is just for testing though - the actual feature needs a little more work before 1.4.3 release - the binddn and bindpw is global for all keyservers, so if someone selects a different ldap keyserver without removing the binddn and bindpw, they likely will be refused (bad password). This can happen automatically with keyserver URLs. What is really needed is a .netrc-style "ldap-password" file that contains binddn and bindpw for different machines. David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenLDAP schema to store OpenPGP keys?
On Wed, 22 Feb 2006, David Shaw wrote: > It's a bit more complex than that - what LDAP (and any keyserver) does > is provide the key itself. That key is then imported and lives > locally from then on until it is deleted. There would need to be > cleanup after use or keys would be left behind. I see. Obviously not a problem for public keys put definitely for private... Should have thought a bit more about how GnuPG works first. I guess I was too enthusiastic about the soon-working LDAP keyserver... Btw, I'll test the unique flag later today. > Are you looking for a remote keyring? > That's slightly different than a keyserver, or at least the thing > that GnuPG calls a keyserver. Now that you mention it: acutally yes, for private keys. I've not done any research about that yet. Just came to my mind during the discussion in this thread. Does GnuPG support remote keyrings? > 1.4.3. I've added the new feature, so you could probably grab the > gpgkeys_ldap.c from svn and use it in your 1.4.2 if you like. Thanks. I was about to ask if I can get it from the SVN tree early... You're just too quick! ;-) > There aren't significant changes to the keyserver protocol between > the two. > Just replace the existing gpgkeys_ldap.c with the new one and > recompile. I'll try a full checkout, though. I've read about another option which allows for keyserver failover, 'query' IIRC. > This is just for testing though - the actual feature needs a little > more work before 1.4.3 release - the binddn and bindpw is global for > all keyservers, so if someone selects a different ldap keyserver > without removing the binddn and bindpw, they likely will be refused > (bad password). This can happen automatically with keyserver URLs. > What is really needed is a .netrc-style "ldap-password" file that > contains binddn and bindpw for different machines. This is a general limitation, not to be solved by the ldap code, IMHO. AFAIK, 1.4.2 only supports a single keyserver, right? Therefore, any keyserver options apply to the one set. There should be a mechanism to specify multiple keyservers, each with its own option set, binddn and bindpw just being one of them. Walter ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenLDAP schema to store OpenPGP keys?
On Thu, Feb 23, 2006 at 01:04:10AM +0100, Walter Haidinger wrote: > On Wed, 22 Feb 2006, David Shaw wrote: > > Are you looking for a remote keyring? > > That's slightly different than a keyserver, or at least the thing > > that GnuPG calls a keyserver. > > Now that you mention it: acutally yes, for private keys. I've not done > any research about that yet. Just came to my mind during the discussion > in this thread. > Does GnuPG support remote keyrings? No, unless it's via a remote filesystem (NFS, SMB, some magic with fuse, etc). > > This is just for testing though - the actual feature needs a little > > more work before 1.4.3 release - the binddn and bindpw is global for > > all keyservers, so if someone selects a different ldap keyserver > > without removing the binddn and bindpw, they likely will be refused > > (bad password). This can happen automatically with keyserver URLs. > > What is really needed is a .netrc-style "ldap-password" file that > > contains binddn and bindpw for different machines. > > This is a general limitation, not to be solved by the ldap code, > IMHO. AFAIK, 1.4.2 only supports a single keyserver, right? > Therefore, any keyserver options apply to the one set. There should > be a mechanism to specify multiple keyservers, each with its own > option set, binddn and bindpw just being one of them. I'm not sure I agree with this. GnuPG does support multiple keyservers in the sense that it handles preferred keyserver records on keys, as well as the new auto-key-locate feature. All of these have the same set of options, as keyserver options are not per-keyserver. They're not "options for keyserver x" - they are "options that pertain to keyservers". For example, "auto-key-retrieve" is not meaningful except in the general sense. Until yesterday, in fact, when I added binddn and bindpw, all the options were not meaningful except in the general sense. I think the right place for the solution is in gpgkeys_ldap itself. Certainly, HTTP, FTP, and HKP have no notion of a DN to bind to. David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
