Re: Fix for smartcards on some newer linux distros

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 03/11/2013 04:35 AM, Werner Koch wrote: > On Sun, 10 Mar 2013 01:10, k...@grant-olson.net said: > >> P.S. Wonder if we can get a better error message since this >> really has nothing to do with unsupported certificates. > > Sorry, we can't do muc

Fix for smartcards on some newer linux distros

I found a few threads going back at least a year where people where having trouble getting smartcards running with gpg2 on newer linux distros. Users would see this error when querying the card-status: gpg: selecting openpgp failed: Unsupported certificate gpg: OpenPGP card not available:

Re: PGP for zLinux

On 3/1/13 10:43 AM, gcal...@br.ibm.com wrote: > Hi, > > I am currently using zLinux version 2.6.16.60. > > Which PGP version would you recomend for my OS? > > Many thanks in advance. > > Most linux distributions include gnupg by default. I don't know if this is the case with zLinux. Try thi

Re: what is the option for "Use this key anyway? (y/N) y"

On 02/26/2013 07:02 AM, pradeep kumar wrote: > Hi, > > I was trying to encrypt the file and it asking me this question to use > this key anyway and after giving y then it is able to create to > .aasdfsdf(ASIIC) file. > > *gpg -ea -r xxx -u xxx -o .aasdfsdf * > > But I want to pass this "y" key i

Re: Questions about OpenPGP best practices

On 2/25/13 5:54 PM, Peter Loshin wrote: > > 1. "Don't use pgp.mit.edu". Which keyserver *should* be used? I assume > that a pool is better than a particular server; is there one > particular pool that is preferred? What about > http://pool.sks-keyservers.net/? > Yep, that's the one you want. >

Best way to catch INSECURE unverified sig status when shelling out to gpg?

-BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 I'm currently writing a plugin that allows you to OpenPGP sign/verify ruby software packages: https://github.com/grant-olson/rubygems-openpgp Right now I'm just shelling out to gpg and checking the status code to determine success

Re: Best way to catch INSECURE unverified sig status when shelling out to gpg?

-BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 On 02/09/2013 06:09 PM, Grant Olson wrote: > > What is the best way to check for this? I presume something like > stdout.include?("INSECURE") is not localization friendly. > Sorry INSECURE was actually from my test key.

Re: Moving from openpgp card to cryptostick

On 2/9/12 4:46 AM, Klaus Layer wrote: > > I proceed exactly as described in the howto with my backup keys. But I always > get the message "gpg: secretkey already stored on a card" > > Any idea how I can resolve this? > I would suggest setting up the new card off of a temp keyring using the hom

Re: Migrating to Smartcards

On 8/30/11 2:44 PM, Hauke Laging wrote: > Am Dienstag, 30. August 2011, 17:54:32 schrieb Richard: > >> Will that cause any problems in later GnuPG use as the cards' IDs are >> different? > > At least no serious ones. You will probably have to make gpg read the card > content by --card-status or

Re: a Question about Key Servers

On 8/24/11 11:47 AM, Mike Acker wrote: > > given that I have loaded my public key to a key-server ( e.g. > keys.gnupg.net ) > > when i upload information to be merged into my keyblock (e.g. a new user > ID, revocate certificate, or new expiration date ) > > what will cause other GPG users to r

Re: Smartcard PIN may be shorter than passphrase?

On 8/23/11 12:43 PM, David Tomaschik wrote: > > So even a 4-digit PIN would ensure a less than 1% chance of guessing > the PIN. (Assuming that the user does not select obvious pins like > birthdates, anniversaries, etc.) At 8 digits, the probability becomes > something like 6*10^-8, if I do the

Re: Including public key

On 7/27/2011 10:25 PM, Len Cooley wrote: > Well, let me ask you this. Is it useful/useless/ridiculous/orwhat to > attach your public key as a sig at the end of an email, such as below? > Unless you're trying to keep your key 'off the grid' I'd just send the key to the keyservers. Then people who

Re: Smartcards and readers

On 7/24/2011 5:57 PM, Robert J. Hansen wrote: > I'm looking into picking up an OpenPGP smartcard and reader for an OS X > system. The card itself can be picked up from KernelConcepts, but there > seem to be an awful lot of different readers available. > > If anyone has any *direct experience* (no

Re: Aspects of trust

On 6/14/11 3:35 PM, Kerrick Staley wrote: > OK, I think I understand: > > Validity and trust are separate, but GnuPG lumps "validity" and > "trust, for the sole purpose of signing others' keys" together into a > single value (which is one of "unknown", "never", "marginal", "full", > and "ultimate"

Re: Temporarily remember passphrase?

On 5/19/2011 7:07 AM, Chris Poole wrote: > Hi > > I often decrypt several files in quick succession (with a simple script). > > Is it possible to have gpg remember my passphrase, only very > temporarily? (Perhaps for 10 seconds or so.) > > I've looked into gpg-agent, and tried using the --use-ag

Re: Best practice for periodic key change?

On 5/10/2011 1:35 AM, Jerome Baum wrote: > On Tue, May 10, 2011 at 07:30, Grant Olson <mailto:k...@grant-olson.net>> wrote: > > But there's no way to prove that the keys were originally generated > on-card, and weren't imported from a software private ke

Re: Best practice for periodic key change?

On 5/10/2011 1:10 AM, Jerome Baum wrote: > On Tue, May 10, 2011 at 07:01, Grant Olson <mailto:k...@grant-olson.net>> wrote: > > On 5/10/2011 12:41 AM, Daniel Kahn Gillmor wrote: > > Maybe one of the folks with experience implementing these devices can > &

Re: Best practice for periodic key change?

On 5/10/2011 12:41 AM, Daniel Kahn Gillmor wrote: > On 05/10/2011 12:32 AM, Jerome Baum wrote: >> Is that an implementation problem? i.e. is it possible to write an >> implementation that does distinguish, or is it technically impossible w/out >> processing the entire data on-card? > > As i unders

Re: Best practice for periodic key change?

On 5/7/2011 5:08 PM, Ingo Klöcker wrote: > On Sunday 08 May 2011, Grant Olson wrote: >=== > > You seem to send messages from the future. ;-) > That's funny. I wanted to make sure I wasn't lying before replying. A little later I was deploying code to

Re: Best practice for periodic key change?

On 5/7/2011 7:54 AM, Hauke Laging wrote: > Am Samstag, 7. Mai 2011, 04:33:17 schrieb Grant Olson: > >> 1) I digitally sign a document saying I owe you money. The signing key >> has an expiration date. >> >> 2) Key expires. I do nothing. >> >> 3) T

Re: Best practice for periodic key change?

On 5/6/2011 10:05 PM, Hauke Laging wrote: > > Several people have mentioned that a signature does not become invalid by > expiration of the key. That is formally correct an describes the GnuPG > behaviour. But with regard to content in such a case there has to be an > additional proof that the

Fwd: Re: Best practice for periodic key change?

Meant to sent on-list... Original Message Subject: Re: Best practice for periodic key change? Date: Sun, 08 May 2011 16:39:34 -0400 From: Grant Olson To: Ingo Klöcker On 5/6/11 3:48 PM, Ingo Klöcker wrote: > On Thursday 05 May 2011, Hauke Laging wrote: >> Wh

Re: Best practice for periodic key change?

On 5/6/11 4:48 PM, Jerome Baum wrote: > On Fri, May 6, 2011 at 22:37, Doug Barton > wrote: > > > I don't understand this response. What I'm saying is that if the key > is compromised, expiration dates become irrelevant. > > > Up to a point. If my key expired

Re: Best practice for periodic key change?

On 5/5/11 2:52 AM, Andreas Heinlein wrote: > Hello, > > I hope you can give me some advice on the following problem: > > We have a OpenPGP key which we use for signing our software releases. > That key should be changed yearly and carry an expiration date to > enforce this change. However, for th

Re: Offline Master Key

On 5/2/11 12:13 PM, John Clizbe wrote: > David Shaw wrote: >> >> There is/was a HOWTO document for this method of handling keys written at one >> point. I can't seem to find the link at the moment, but if someone has it >> handy, please do post it. > > Adrian von Bidder's How-To, http://fortytwo.

Re: Passphrase

On 04/26/2011 06:38 PM, Stephen H. Dawson wrote: > Hi, > > > Dire need, hoping for help. > > I have my private and public keys, but you have neither the passphrase > nor a revocation certificate. I need to revoke my published key. Can > they recommend a bash script to discover the passphras

Re: Gnupg-users Digest, Vol 91, Issue 30

On 4/19/11 3:17 PM, Mike Acker wrote: > On 04/19/2011 14:35, gnupg-users-requ...@gnupg.org wrote: >> Maybe because, since this is the support list for GnuPG, we are all >> thinking more about how to protect an encrypted file than about how to >> protect a server account. > relevance? > > what dif

Re: A better way to think about passwords

On 4/18/11 1:02 PM, Mark H. Wood wrote: > > OTOH if there are any useful groupings in "c2l4IHdvcmRzIGxvbmcuCg==" > they are not readily visible to me. My eye tends to slide right past > it without taking anything in. > > This is why I tend to use something like APG to generate strings of > nonse

Re: A better way to think about passwords

On 4/18/11 2:09 PM, Grant Olson wrote: > On 4/18/11 1:02 PM, Mark H. Wood wrote: >> >> OTOH if there are any useful groupings in "c2l4IHdvcmRzIGxvbmcuCg==" >> they are not readily visible to me. My eye tends to slide right past >> it without taking anythin

Re: A better way to think about passwords

On 04/17/2011 09:31 PM, Doug Barton wrote: > I agree that the description of baekdal's use case is pretty limited, > and his math may be optimistic. OTOH this page seems to cast doubt on > the idea that even comparatively simple passwords can be cracked in very > short time periods, and more import

Re: A better way to think about passwords

On 04/17/2011 07:39 PM, Grant Olson wrote: > > (you quoted 2.5 bits per char in another thread) Apologies, actually you didn't say this. You said, "English text has in the neighborhood of 1.5 to 2.5 bits of entropy per glyph." Just correcting myself because I know how

Re: A better way to think about passwords

On 04/17/2011 06:58 PM, Robert J. Hansen wrote: >> Summary: A 3-word password (e.g., "quick brown fox") is secure against >> cracking attempts for 2,537 years. > > I am giving a great big yuk to his methodology. There's no reference to the > entropy of text, for instance. His example of a three

Re: Signing a key (meaning)

On 04/11/2011 07:09 PM, MFPA wrote: > Hi > > > On Monday 11 April 2011 at 11:49:10 PM, in > , Grant Olson wrote: > > >> I don't think it counts as the middle if you have >> access to the email account. > >> If I've got your logon info,

Re: Signing a key (meaning)

On 4/11/11 6:34 PM, MFPA wrote: > >>> Unfortunately I'm not able to develope such an attack, >>> and think there is none of importance. Could you >>> please help me? > >> I personally don't think there is one. > > You already mentioned "the standard MITM attack." Isn't that one? > I don't thin

Re: Signing a key (meaning)

On 4/11/11 4:18 AM, Jan Janka wrote: >>> One reason we use GnuPG for is we think it >>> is significant likeky there's a "man in the >>> middle attack" or someone has access to email >>> accounts he should not have. Given that, what >>> benefit does one take from knowing my communication >>> pa

Re: Signing a key (meaning)

On 04/10/2011 02:48 PM, Jan Janka wrote: > > But my ponit is as follows: > One reason we use GnuPG for is we think it is significant likeky there's a > "man in the middle attack" or someone has access to email accounts he should > not have. Given that, what benefit does one take from knowing my

Is anyone using a SPR-332 smart card reader?

I've been having some trouble. Basically, gpg2 (from git's STABLE-BRANCH-2.0) will prompt for a pin, but even if I enter the right one the unit buzzes. Looking at the logs, they report that pin entry was canceled. Any time I try to search around, I end up at the same thread from 2006: http://ww

Re: keys not available for signed messages in this maillist

On 4/8/11 2:50 PM, Bernhard Kleine wrote: > > I am quite sure that Grant Olson's key is on the keyserver, thus there > is no matter of hiding it, as robert j.hansen suggested. however, i > wonder why i can't retrieve it. > > gpg --search-keys A18A54D > gpg: Suche nach "A18A54D" von hkp Server po

Re: Do not conflate key+userID certification with "vouching" [was: Re: How to verify the e-mail address when certifying OpenPGP User IDs]

On 4/8/11 2:00 PM, Daniel Kahn Gillmor wrote: > On 04/07/2011 09:37 PM, Grant Olson wrote: >> Keep in mind that the web-of-trust isn't the mafia. If you 'vouch' for >> someone and they turn out to be a rat, nobody's going to two bullets in >> your chest,

Re: How to verify the e-mail address when certifying OpenPGP User IDs [was: Re: Signing a key (meaning)]

On 4/7/11 8:05 PM, Jan Janka wrote: > Hi Daniel, > > thanks for the answer, but it seems to me with this procedure you only > checkwhetherthe person has access to the email address, you > don't check whether this access is illegal, don't you? > > Tace care, > Jan > Well, yes, but the

Re: No SmartCard Daemon

On 04/03/2011 03:05 PM, Grant Olson wrote: > > For some reason debian-based software includes scdaemon in the gpgsm > package. > > Part of me feels like this is a bug in the packaging, but I don't know > enough about debian packaging to file a bug report. That, or

Re: No SmartCard Daemon

On 04/03/2011 07:24 AM, Paul R. wrote: > gpg: OpenPGP card not available: No SmartCard daemon > > I searched my system for scdaemon, but it is not installed. Also, I > checked my PATH environment variable to make sure that the PATH was > properly configured. I guessed that, perhaps, scdaemon had

Re: Public keys on smartcard

On 4/1/11 3:51 AM, Astrakan wrote: > Does anyone know the max storage capability of the v2.0 OpenPGP-cards? A > few K? > The v2 spec says they should support at least 2048k keys. The actual cards say they can handle up to 3072k. -- Grant "I am gravely disappointed. Again you have made me unl

Re: [PGPNET] Jerome

On 03/26/2011 02:16 PM, Lance W. Haverkamp wrote: > On 03/26/2011 11:23 AM, Jerome Baum wrote: >> Werner Koch writes: >> >>> On Sat, 26 Mar 2011 16:50, jer...@jeromebaum.com said: >> summarize: gpg-agent seems to have problems handling thrown keyids. >> >>> You mean the current development ve

Re: 4096 bit keys

On 03/22/2011 07:44 PM, Jerome Baum wrote: > Grant Olson writes: >> ECC actually is up-and-running in the beta for gpg 2.1, but >> realistically it'll be (at least) a few years before it gets mainstream >> adoption. > > You loose any interoperability as it&#x

Re: 4096 bit keys

On 03/22/2011 07:32 PM, Jonathan Ely wrote: > What is ECC? Now I want that haha. > Elliptic Curve Cryptography https://secure.wikimedia.org/wikipedia/en/wiki/Elliptic_curve_cryptography Since it isn't based on prime numbers, it 'scales' better than RSA or DSA, and keys of similar security level

Re: 4096 bit keys

On 03/22/2011 07:29 PM, Robert J. Hansen wrote: > On 3/22/2011 6:53 PM, Grant Olson wrote: >> The actual cutting edge solution is to move from RSA to ECC. Even a >> 8192 bit or 16k bit RSA key isn't approved by the NSA or NIST for TOP >> SECRET materials, but ECC-521 i

Re: 4096 bit keys

On 03/22/2011 06:06 PM, Jonathan Ely wrote: > I really wish 8192 would become available. Not that it would be the end > all/be all of key security but according to your theory it sounds much > more difficult to crack. > The actual cutting edge solution is to move from RSA to ECC. Even a 8192 bit

Re: what are the sub keys

On 03/22/2011 06:37 PM, Jerome Baum wrote: > > So, I move my key to a smart card to gain the illusion that it's more > secure, while it practically isn't (at least not much more). > Why wouldn't it be more secure? Before my key was encrypted but available on disk, and available unencrypted i

Re: what are the sub keys

On 03/22/2011 05:22 PM, Jerome Baum wrote: > > Are you talking about the option of moving a key to a smart card? > Because if I generate it on-card, I won't have the option of > RSA-4096. And will "average Joe" really move his key to a smart card if > he generated it off car

Re: Revoke signature from key

On 03/21/2011 05:17 PM, Daniel Kahn Gillmor wrote: > On 03/21/2011 04:51 PM, Grant Olson wrote: >> >> But that doesn't provide any easy way for me to only trust your >> identity+metadata certifications, if, for example, I trust you to sign >> in your role for a

Re: deniability

On 03/21/2011 12:24 PM, Jerome Baum wrote: > "ved...@nym.hush.com" writes: >> [4] Post the encrypted file to a newsgroup like comp.pgp.test or >> other group that allows test postings. > > Yes, per above. But good idea to not use an anonymous group -- this way > I can say I was testing stuff. >

Re: Revoke signature from key

On 03/21/2011 04:18 PM, Daniel Kahn Gillmor wrote: > On 03/21/2011 04:05 PM, David Shaw wrote: >> While the common usage for regular users is to sign based on checking >> identity, signatures can be just as well used as a token to indicate >> membership. For example, the PGP product has the con

Re: libgcrypt git repository

On 3/21/11 8:21 AM, Chris Ruff wrote: > Is this an error on my part. I went to git pull on the latest trunk for > gnupg and during configure discovered a newer libgcrypt (>=1.5.0) & > libksba (>=1.2.0) was needed. However a git pull resulted in the > following error: > > $ git clone git://git.gn

Re: KEYSERVER

On 03/20/2011 05:29 PM, Mike Acker wrote: > On 03/20/2011 17:19, Jonathan Ely wrote: >> It can be complicated; it is for me since I am still new to this. I only >> ‘trust fully’ those keys who come from people who I think would not fake >> identity, or have no reason not to be trusted fully. Is it

Re: Keyservers

On 03/20/2011 05:16 PM, Jonathan Ely wrote: > Really? For me, it is much easier to access the newest reply instead of > using the Down Arrow key to find it. Gmail always worked the same way > for me. > Ingo's talking about the body of the message. Most mailing lists people reply after the questi

Re: Keyservers

On 03/20/2011 04:31 PM, Ben McGinnes wrote: > On 21/03/11 6:48 AM, Jonathan Ely wrote: >> >> I do not use the Gmail interface any more; I only use the >> Thunderbird client and typed the signature in the edit field found >> in the Tools | Account options | General dialogue. It always appears >> in

Re: keyservers

On 03/19/2011 02:07 PM, MFPA wrote: > Hi > > > On Friday 18 March 2011 at 5:48:47 PM, in > , Grant Olson wrote: > > >> Until then, I'll just use my favorite member of the sks >> pool: gingerbear.net. > > Is it your favourite because of the nam

Re: keyservers

On 3/17/11 10:57 PM, John Clizbe wrote: > > yeah, and keys.kfwebs.net, Kristian's keyserver which hosts the pool code, is > also down. Still no word from him on sks-devel. Of course, he might not be > able > to get the mail if the server is offline. > > -John > Some news is starting to pop up

Re: keyservers

On 3/17/11 4:43 PM, Andrew Long wrote: > Anyone else having problems accessing pool.sks-keyservers.net? I've > tried pointing nslookup at a couple of the root DNS name servers and get > DOMAIN (not known) > There were a few emails on sks-devel this morning. Apparently it is indeed down. http://

Re: For Windows

On 03/13/2011 10:57 AM, Jerry wrote: > On Sun, 13 Mar 2011 08:19:58 -0600 > Aaron Toponce articulated: > >> On 03/13/2011 06:56 AM, Brad Rogers wrote: >>> On Sun, 13 Mar 2011 06:05:12 -0600 >>> Aaron Toponce wrote: >>> >>> Hello Aaron, >>> On 03/13/2011 05:42 AM, Jerry wrote: > Actually

Re: For Windows

On 3/11/11 3:50 PM, Jonathan Ely wrote: > Hello. I use Enigmail, so of course I have GnuPG installed. I use 1.4.9 > because [1] I can not find an executable for 2.0.17 for Windows, and [2] > I do not know how to configure the GPG-agent. Can somebody please assist > me with upgrading to 2.0.17 and c

Re: "This key may be unsafe"

On 3/7/11 5:32 PM, Robert J. Hansen wrote: > On 3/7/11 4:03 PM, Charly Avital wrote: >> Are keys whose length is equal or inferior to 1024 bits *unsafe*? > > A 1024-bit key is believed to be roughly comparable to an 80-bit > symmetric key. I am comfortable saying this is a reasonable level of > s

Re: Security of the gpg private keyring?

On 02/28/2011 09:08 PM, Robert J. Hansen wrote: >> There are probably many more issues like that tucked away once you start >> to think seriously about implementing the feature properly. > > There's a lot of stuff in the literature on this subject. This sort of > behavior is usually called ORCON

Re: hashed user IDs [was: Re: Security of the gpg private keyring?]

On 02/28/2011 08:54 PM, Daniel Kahn Gillmor wrote: > On 02/28/2011 07:44 PM, Grant Olson wrote: > > You can pull a copy of a stalled/never-submitted Internet-Draft from here: > > git://lair.fifthhorseman.net/~dkg/openpgp-hashed-userids > > If anyone wants to push this f

Re: Security of the gpg private keyring?

On 02/28/2011 08:15 PM, Hauke Laging wrote: > Am Dienstag 01 März 2011 01:32:05 schrieb Grant Olson: > >> If I upload a key to >> pool1.sks-keyservers.net, and it tries to sync with >> pool2.sks-keyservers.net, how do you maintain the custody chain? > > Can you ex

Re: Security of the gpg private keyring?

On 2/28/11 7:09 PM, Daniel Kahn Gillmor wrote: > On 02/28/2011 06:38 PM, David Shaw wrote: >> I think the problem here is the large size of the deployed infrastructure >> that expects user IDs to have email addresses in them combined with the >> relatively few people who are asking for this featu

Re: Security of the gpg private keyring?

On 2/28/11 7:09 PM, David Tomaschik wrote: > On 02/28/2011 05:40 PM, MFPA wrote: >> >> I think key UIDs generally reveal more information than I am >> comfortable with. For example, why does your UID need to contain your >> email address in plain text rather than as a hash? Searching for that >> em

Re: plateform supported ?

On 2/28/11 12:42 PM, Benjamin Donnachie wrote: > On 28 Feb 2011, at 17:29, florent ainardi > wrote: >> >> i have a simple question >> > May I suggest that you consolidate all your queries into a single email? > And perhaps invest 15-20 minutes giving the software a b

Re: Question regarding shared keys

On 2/28/11 2:07 AM, Denise Schmid wrote: >> It depends on what you mean by a "shared key". There is just giving a >> copy of the key to multiple people (in which case any one of them can use >> it), >> or there are various key splitting algorithms where a key is broken into a >> number of pieces,

Re: PGP/MIME considered harmful for mobile

On 02/27/2011 11:48 PM, Ben McGinnes wrote: > On 28/02/11 2:59 PM, Grant Olson wrote: >> >> I've been toying with the idea of expiring my key and seeing how >> long it takes for anyone to notice. In fact, I've just decided I >> will do this sometime in the ne

Re: Android PGP/MIME test results

On 02/27/2011 11:29 PM, David Shaw wrote: > Not exactly Android, but FWIW, an iPod touch (which has the same mail program > as an iPhone) displays PGP/MIME just fine (as in shows the mail - but doesn't > verify the signature). > > David > > It's worth a lot. Since the rational behind this th

Re: PGP/MIME considered harmful for mobile

On 02/27/2011 10:22 PM, Ben McGinnes wrote: > On 28/02/11 2:02 PM, David Shaw wrote: >> >> I'm not at all surprised that you had those results. A limited >> subset of people have support for OpenPGP signatures. A limited >> subset of those people actually verify signatures. A limited subset >> o

Android PGP/MIME test results

Provider: Boost Manufacturer: Motorola Model: I1 Droid version: 1.5 This phone has two mail applications by default, one called 'email' and another called 'gmail'. Both displayed PGP/MIME messages without any trouble. Neither verified sigs of course. I see no easy way to determine the version n

Re: PGP/MIME considered harmful for mobile

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 02/27/2011 02:37 PM, Martin Gollowitzer wrote: > * Robert J. Hansen [110227 20:28]: >>> How about "inline confuses users who don't know anything about OpenPGP"? >> >> 1. Why are you sending them signed emails anyway? > > I sign *all* my e-mail

Re: GnuPG Card with ssh authentication problems

On 02/27/2011 11:40 AM, Werner Koch wrote: > On Sun, 27 Feb 2011 06:43, br...@frogandbear.net said: > >> I do find it a little odd that GnuPG's very own (and from the looks of >> it, old) documentation (1) lists the 3121 as a supported reader, along >> with several other outdated models. > > Sorr

Re: GnuPG Card with ssh authentication problems

On 02/26/2011 11:51 PM, Brady Young wrote: > > Thought I would update and say I finally got this working correctly. > > Apparently with the Omnikey Cardman 3121, the vendor drivers *must* be > used. Once those were installed, and daemons restarted, ssh-add -l had > no problem grabbing the key off

Re: GnuPG Card with ssh authentication problems

On 02/26/2011 10:06 PM, Brady Young wrote: > > > In any case, I undertsand the next step is to get the ssh-ified version > of the key, adding to to ~/.ssh/authorized_keys on the remote host: > > $ gpgkey2ssh 3B70AC3E > file_to_upload > > (file_to_upload is scp'd over to remote host in correct l

Re: SCR3310 reader working for root, but not scard group

On 02/26/2011 08:52 PM, David Tomaschik wrote: > > I have a 3310 and with pcscd, I haven't even found the need to use the > scard group. I have found that occasionally I have to restart > scdaemon in order to get new readers/cards recognized. I haven't > narrowed it down specifically yet. (I ju

Re: Smart Card Physical Best Practices?

On 02/26/2011 09:40 PM, David Tomaschik wrote: > > I've recently received my smart card, but was wondering what the "best > practices" are, mainly from a physical standpoint. When I use it in > my laptop reader, it sticks about 2" out of the side, and I have some > concern about this (i.e., getti

Re: SCR3310 reader working for root, but not scard group

On 02/26/2011 07:45 PM, Todd A. Jacobs wrote: > I have an SCR3310 card reader on an Ubuntu 10.10 system, and installed > the drivers through the libccid package. This works out of the box for > root, but mortal users can't access the card at all. I tried a lightly > modified version of the scripts

Re: ld.so.1: gpg: fatal: libusb.so.1: open failed: No such file or directory

On 02/16/2011 12:02 AM, David Shaw wrote: > > In future I will always ensure to use my time machine when replying, since > clearly people replying to a message from 4:26 should know the information > revealed in a completely different message from one hour later at 5:25. > > Really, it's just a

Re: Help with OpenPGP plugin in Mozilla Thunderbird and Claws Mail

On 2/15/11 8:38 AM, AgoristTeen1994 wrote: > > Okay thanks for the help though I'm still somewhat confused...I understand > that they key id is the entire keypair, but then how do I found out what is > just my public key, and just my secret key, the reason I"m asking is that if > I want to give m

Re: Help with OpenPGP plugin in Mozilla Thunderbird and Claws Mail

On 02/13/2011 03:03 AM, AgoristTeen1994 wrote: > > Hey, this is going to seem like stupid questions, but, I just found out about > PGP, OpenPGP, and GnuPG yesterday, and I didn't create a key pair until > about 2 hours ago, so I'm pretty unaware of how some thing work...First is, > that using eith

How do I import an X.509 Certificate onto an OpenPGP smartcard?

In both the product description for the OpenPGP V2.0 card and the spec itself there is some discussion of a "Cardholder Certificate" Data Object in the V2.0 cards. I've got one of those free X.509 email certificate from Comodo, and was attempting to upload it to the card. I can import the .p12 fi

Re: gpg --check-sigs should indicate if a signature is made by a revoked/compromised key

On 2/9/11 3:00 PM, Daniel Kahn Gillmor wrote: > gpg --check-sigs produces information about whether a certification was > revoked, but not whether the certification was made by a key which > itself was revoked. > The man page does say that this is intentionally not done for performance reasons:

Re: Problems to migrate keys between two windows pcs

On 2/7/11 2:59 AM, Kraus, Daniel wrote: > > I try to give a résumé: > I exported my whole keyring (all public and private keys) from the old > version and imported it into my new version apperently succesfull. > I'm able to encrypt a file with the public key of one of our partners > and they are

Re: IPC call failed

On 02/04/2011 05:49 PM, Justin Teaw wrote: > > Does anyone have a solution for this problem? Do you know what socket > the gpg-agent is using? > What OS? What version of gnupg? What commands are you trying to run? How are you trying to run them: batch file, command line, program like enigmail

Re: Did I just fry my smartcard?

On 01/30/2011 11:18 AM, Grant Olson wrote: > > > With those options enabled, I tried issuing the reset codes. First time > it complained because no card was inserted. Second time it complained > because it couldn't find a supported application on the card. I'm not

Re: Did I just fry my smartcard?

On 01/30/2011 06:03 AM, Werner Koch wrote: > On Sat, 29 Jan 2011 19:54, k...@grant-olson.net said: > >> gpg: detected reader `SCM SCR 3310 [CCID Interface] 00 00' >> gpg: pcsc_connect failed: sharing violation (0x801b) > > Another process has locked the reader. Most likely this is either a g

Did I just fry my smartcard?

This is actually a spare card I was just messing around with, not my main one. It's a standard OpenPGP v2.0 card from g10. I wanted to reset the card to the factory defaults and mess around with the onboard key generation. I issued the series of commands listed here, among other places: http://

Re: ID-000 SmartCard Form Factor

On 01/28/2011 09:42 PM, David Tomaschik wrote: > While I realize that the ID-1 (full size) cards can be used with card > readers that support PIN entry, are there any other > advantages/disadvantages to one size over the other? At present, I feel > like the ID-000 form factor has more advantages be

Re: SmartCard Import/Export

On 1/26/11 4:03 PM, David Tomaschik wrote: > Anyone in the US ever order the OpenPGP smartcards from Kernel > Concepts? I'm wondering if there are any customs issues I should be > aware of. I'm thinking of trying to get a few people together around > here to do a bulk order to cut shipping costs,

Re: Future plans for implementation of other algorithms

On 1/26/11 3:37 PM, Avi wrote: > As someone who uses GnuPG on a USB stick under Windows, I sincerely hope > that elliptical curves get added to the 1.4 trunk. > > --Avi > That was completely uninformed speculation on my part. But I still think that like any new standard and technology, even

Re: Future plans for implementation of other algorithms

On 01/25/2011 07:59 PM, Joseph Ziff wrote: > Just out of curiosity (this might be the wrong mailing list for this so > I apologize in advance if that is the case), are there any plans for > implementing any other encryption/signing algorithms in GPG and if so > what are they? I think it's really t

Re: SSH authentication using OpenPGP 2.0 smartcard

On 1/25/11 12:16 PM, Grant Olson wrote: > > I just setup Debian 6.0RC1 last week. I have a key I've already been > using to ssh. I had no problems. Just needed to add some stuff to > .bashrc as documented in the manpage for gpg-agent. > Actually, I also needed to run &#

Re: SSH authentication using OpenPGP 2.0 smartcard

On 1/25/11 10:07 AM, Patryk Cisek wrote: > Hi, > > I've been successfully using OpenPGP smartcard for signing my Debian > uploads for a while now. Today I wanted to set it up also for SSH > public key authentication. > Did you create an authentication key? You might only have signing and encryp

Do smartcards stay unlocked forever by design?

Hey all, I've been using a smartcard for several months now. It's a cryptostick if the model is important. Every time I sign something, it asks me for my pin. But once the card is unlocked, ssh authentication and decryption seem to happen forever, regardless of any ttl-cache settings in gpg-age

Official gnupg signing key (0x1CE0C630) expired

I'm assuming this just needs the year end bump. Looks like it expired 12-31-2010. -Grant signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Signing

about. It validates that the email address is controlled by the key owner (baring a man-in-the-middle attack), and does nothing to validate the person himself. But anyway, I'd be reluctant to sign a key that said something like "Grant Olson (Nightwatch Division) " if I knew this per

  1   2   >