Re: How to use an "offline" primary key

2010-01-04 Thread Peter Lebbing 
Sven Radde wrote:
> I thought that I would simply 'include' the primary key by adding
> "--secret-keyring secring2.gpg" whenever I need it for these kinds of
> operations, but GnuPG complains about missing parts of the secret key
> regardless of whether this option is present of not.

AFAIK, GnuPG will take the first version of the key it finds. The first version
of the key (primary and subkeys) is in your default keyring, with only a stub
primary.

You could try something like
--no-default-keyrings --secret-keyring secring2.gpg --public-keyring
pubring2.gpg --secret-keyring secring.gpg --public-keyring pubring.gpg

where secring.gpg/pubring.gpg are your default keyrings.

By exchanging the order of the keyrings, hopefully this will mean it looks for
the key in secring2.gpg first, where the primary key is included too.

I haven't tried it myself, though.

Good luck,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at http://wwwhome.cs.utwente.nl/~lebbing/pubkey.txt
(new, larger key created on Nov 12, 2009)

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How to use an "offline" primary key

2010-01-04 Thread M.B.Jr. 
Hi list,
I wish a great 2010 year for everybody!


On Sat, Jan 2, 2010 at 11:09 AM, Sven Radde  wrote:
> Hello GnuPG-Users!
>
> With a new year comes a new keypair and this time I tried to use subkeys
> to separate my secret primary key from the "day-to-day"
> encryption/signing keys.


Concerning Sven's statement about his primary key's secrecy, and
something David Shaw explained to me a while ago, I ask you:

is it possible to have a totally secret digital signature primary key?
I mean, part of it will be inevitably public, won't it?



Regards,






Marcio Barbado, Jr.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How to use an "offline" primary key

2010-01-04 Thread Sven Radde 
Hi!

Peter Lebbing schrieb:
> By exchanging the order of the keyrings, hopefully this will mean it looks for
> the key in secring2.gpg first, where the primary key is included too.

Works fine for certifying other people's keys, thank you!

However, since all updates to the my key would be done to "secring2" and
"pubring2" in this case, I think I would have to re-export/import from
the "offline" keyring to the "online" keyring every time I do things
like changing preferences, setting expiry dates, adding new subkeys etc.
But this is really just a very minor inconvenience and I will see
whether I can do with "secring", "secring2" and a single shared "pubring"...

cu, Sven

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Encrypting with an message expiration date

2010-01-04 Thread David Shaw 
On Jan 4, 2010, at 1:17 AM, Robert J. Hansen wrote:

>> Morten Gulbrandsen wrote:
>>> Allen Schultz wrote:
>>> 
 Is there a way to force an expiration date when encrypting a message
 for additional security.
>> 
>> [...]
>> 
>>> 
>>> sure
>>> 
>>> http://vanish.cs.washington.edu/
> 
> There are, as near as I can tell, only three options: either (a) you
> trust the sender's clock, (b) you trust the recipient's clock, or (c)
> you trust a third-party clock.
> 
> Once you know which clock the system is trusting, attack the clock.
> Subvert and/or impersonate it, rewind time back, and view the message again.

Did you read the Vanish paper?  That's not how it works - there isn't some 
piece of code that says "if (not_yet_expired) { show_data }".  Rolling the 
clock back has little effect.  In Vanish, the key is broken into multiple key 
shares (a la Shamir), and spread out over many machines in a large pool.  At 
expiration time (a regular occurrence on the node, and not specific to the 
message), the key share is simply dropped.  Eventually, enough shares are gone 
that the key cannot be recovered.  One could conjecture some master of the 
universe attack against all of the nodes, but it's a very different trick to 
subvert one machine than it is to subvert over a million of them (Vanish runs 
over Vuze).  Plus the attack would have to be mounted before the message 
expires.

Of course, see http://z.cs.utexas.edu/users/osa/unvanish/ ;)

To be sure, Vanish doesn't solve the problem we're talking about here, but I 
can't really hold that against it since that's not the problem it was designed 
to solve.

David


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Compatibility version between version 1.2 and 1.4.10

2010-01-04 Thread Stringer, Robert 
Hi

We just downloaded the latest version of GNuPg, version 1.4.10.

Questions:

Can we reuse the same keys to encrypt the data?
Can we use the 1.4.10 version without any modifications on our systems?
Is there any issues we must be aware regarding the new version?

PS: GNUPG runs on WINDOWS 2003 server.

Thx

Robert







TD Assurance réfère collectivement à toutes les entités et
activités Canadiennes d'assurance des particuliers au sein de
TDBFG. 
TD Insurance refers collectively to all of the Canadian personal
lines insurance entities and activities within TDBFG. 
-
AVIS DE CONFIDENTIALITE. 

Ce courriel, ainsi que tout renseignement ci-inclus, destiné
uniquement au(x) destinataire(s) susmentionné(s), est confidentiel.
Si vous n'êtes pas le destinataire prévu ou un agent responsable de
la livraison de ce courriel, tout examen, divulgation, copie,
impression, reproduction, distribution ou autre utilisation de
toute partie de ce courriel est strictement interdit de même que
toute action ou manquement à l'égard de celui-ci. Si vous avez reçu
ce message par erreur ou sans autorisation, veuillez en aviser
immédiatement l'expéditeur par retour de courriel ou par un autre
moyen et supprimez immédiatement et entièrement cette communication
de tout système électronique. 

NOTICE OF CONFIDENTIALITY. 

This communication, including any information transmitted with it,
is intended only for the use of the addressee(s) and is
confidential. If you are not an intended recipient or responsible
for delivering the message to an intended recipient, any review,
disclosure, conversion to hard copy, dissemination, reproduction or
other use of any part of this communication is strictly prohibited,
as is the taking or omitting of any action in reliance upon this
communication. If you received this communication in error or
without authorization please notify us immediately by return e-mail
or otherwise and permanently delete the entire communication from
any computer, disk drive, or other storage medium.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Compatibility version between version 1.2 and 1.4.10

2010-01-04 Thread David Shaw 
On Jan 4, 2010, at 10:02 AM, Stringer, Robert wrote:

> Hi
>  
> We just downloaded the latest version of GNuPg, version 1.4.10. 
>  
> Questions:
>  
> Can we reuse the same keys to encrypt the data?

Impossible to say without knowing how you are using GPG.  I can say "almost 
certainly", though.

> Can we use the 1.4.10 version without any modifications on our systems?

Impossible to say without knowing how you are using GPG.  I can say "probably", 
though.

> Is there any issues we must be aware regarding the new version?

Read the NEWS file that comes with every version of GPG.  The file is updated 
for every release.  In your case, you should read the sections between 1.4.10 
and 1.2.

David


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

how to find the keygrip of a key

2010-01-04 Thread silly8888 
Hi all,

I have a gpg key that I would like to add to gpg-agent using the
gpg-preset-passphrase. I understand that gpg-preset-passphrase expects
me to provide the keygrip the key but I cannot see how to find it. The
key is an ordinary gpg key, nothing to do with gpgsm. Any help would
be appreciated.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: how to find the keygrip of a key

2010-01-04 Thread Werner Koch 
On Tue, 5 Jan 2010 01:18:11 -0500, silly wrote:

> I have a gpg key that I would like to add to gpg-agent using the
> gpg-preset-passphrase. I understand that gpg-preset-passphrase expects
> me to provide the keygrip the key but I cannot see how to find it. The
> key is an ordinary gpg key, nothing to do with gpgsm. Any help would

As of now gpg uses the gpg-agent only for passphrase caching.  That
does also mean that there is no keygrip.  Instead you use the
fingerprint of the key.  Usually the fingerprint of the primary key is
sufficient for almost all gpg actions.  However here we need to use
the fingerprint of the actual subkey; use this command to show it:

  $ gpg2 --fingerprint --fingerprint al...@example.net
  pub   1024D/68697734 1999-03-08
Key fingerprint = A0FF 4590 BB61 22ED EF6E  3C54 2D72 7CC7 6869 7734
  uid  Alfa Test (demo key) 
  uid  Alpha Test (demo key) 
  uid  Alice (demo key)
  sub   1024g/46A871F8 1999-03-08
Key fingerprint = 3B3F BC94 8FE5 9301 ED62  9EFB 6AE6 D7EE 46A8 71F8
  
Thus for the decryption key you would use 

  $ echo abc | gpg-preset-passphrase \
  --preset 3B3FBC948FE59301ED629EFB6AE6D7EE46A871F8


Shalom-Salam,

   Werner


-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users