On Thu, Apr 24, 2008 at 08:45:02AM -0400, [EMAIL PROTECTED] wrote:
> My reply is probably very nearly pedantic, but the question
> raised is a venerable one: Do you want your system to be
> name-centric or key-centric. A name-centric system is one
> where the name is the identity, per se, and the
Besides, as the Bard says, what's in a name? Binding a key to a name
doesn't tell you much. First consider what it is you want to prove,
and then you will know what bindings you require.
Consider also the distinction between the information required to
investigate an identity and the information
> Although commonly used, a name is not a good measure for identity.
My reply is probably very nearly pedantic, but the question
raised is a venerable one: Do you want your system to be
name-centric or key-centric. A name-centric system is one
where the name is the identity, per se, and the k
On Thu, 2008-04-24 at 07:56 +0200, Michel Messerschmidt wrote:
> What about second/third ... names, name changes (e.g. marriage),
> offical pseudonyms (e.g. artist names in Germany), ... ?
Yes of course,.. and lots of other things in other countries and
cultures.
> > The reason: As a mathematicio
On Thu, Apr 24, 2008 at 02:59:40AM +0200, Christoph Anton Mitterer wrote:
> Of course we could even discuss what's part of the name?! What about
> academic titles like "Dr." or "PhD", stuff from monarchy (OBE, Sir,
> Dame, HRH, Prince, etc.) religious "titles" like "PP", "Cardinal", etc.?
What
Quoting reynt0 <[EMAIL PROTECTED]>:
Well, not specially (ignoring the polite grammar using the
form of questions). What it was is a suggestion, stated
in third person and a first person example, why one part
of your suggestions/opinions might not be a good fit
with gpg. IMHO, of course. That's
On Wed, 23 Apr 2008, Christoph Anton Mitterer wrote:
On Wed, 2008-04-23 at 13:41 -0400, reynt0 wrote:
(This is a late comment, I'm catching up reading email, and
Herr C.A.M has mentioned his idea a couple of times.)
[snip snap]
Does this contain any question?
Well, not specially (ignoring t
On Wed, 2008-04-23 at 13:41 -0400, reynt0 wrote:
> (This is a late comment, I'm catching up reading email, and
> Herr C.A.M has mentioned his idea a couple of times.)
[snip snap]
Does this contain any question?
Regards,
Chris.
___
Gnupg-users mailing
On Wed, 16 Apr 2008, Christoph Anton Mitterer wrote:
. . .
I don't want to discourage you from suggesting changes, but I do
advise that you really understand what you are suggesting. For
example, the ideas around user IDs being required to be full names
show misunderstanding of the OpenPGP trus
Dear David.
On Wed, 2008-04-16 at 09:29 -0400, David Shaw wrote:
> I think - and please understand I do not mean this as an attack on you
Of course not :)
> - that before someone proposes sweeping changes to an RFC, they must
> really understand the history and reasoning behind the original
On Wed, 2008-04-16 at 08:41 -0400, David Shaw wrote:
> I was pretty much getting out of this thread as non-useful, but I have
> to comment on this. It's not true. GPG does not export
> non-exportable signatures.
Hmm I wonder if it's worth the effort to publish a review on the RFC,
would ideas be
On Apr 16, 2008, at 9:04 AM, Christoph Anton Mitterer wrote:
On Wed, 2008-04-16 at 08:41 -0400, David Shaw wrote:
I was pretty much getting out of this thread as non-useful, but I
have
to comment on this. It's not true. GPG does not export
non-exportable signatures.
Hmm I wonder if it's wor
On Wed, Apr 16, 2008 at 10:46:08AM +0200, Christoph Anton Mitterer wrote:
> > Arguing "GnuPG should support a nonconformant extension to the spec" is
> > probably not going to get much of anywhere.
> > > But I'd like to know it this leads to improved security or not:
> Specs are moving,... and im
Dear Robert.
On Tue, 2008-04-15 at 20:35 -0500, Robert J. Hansen wrote:
> Christoph Anton Mitterer wrote:
> > But it does not say that it has to contain the must-have algos.
> As has been mentioned here at least twice now, see section 13.2, where
> it explicitly says if the MUSTs are not listed, t
Hi!
Am Dienstag, den 15.04.2008, 20:35 -0500 schrieb Robert J. Hansen:
> > Even if those subpacktes would be used in my suggested way, each
> > implementation would know "Nanana, 3DES is a fallback, so in each case I
> > can find my algorithm match", but in addition to that a user could force
> >
Christoph Anton Mitterer wrote:
> But it does not say that it has to contain the must-have algos.
As has been mentioned here at least twice now, see section 13.2, where
it explicitly says if the MUSTs are not listed, they are tacitly listed.
I do not understand how much clearer I can make this.
Dear David.
On Tue, 2008-04-15 at 17:54 -0400, David Shaw wrote:
> > > A specification does not set a high-water mark for implementations. It
> > > sets a low-water mark. Implementations are free to restrict keys in any
> > > way they want, so long as the low-water mark is met. If you want to
>
On Tue, 2008-04-15 at 18:04 -0400, David Shaw wrote:
> It will work with GPG. I can't speak for other programs, but it's
> legal by the spec, so it should work everywhere.
>
> Mind you, you're going to hurt yourself, but it's legal by the spec.
Ok this I've already asked everything in my previous
On Tue, Apr 15, 2008 at 08:40:17AM -0500, Robert J. Hansen wrote:
>> Why? Just because new (perhaps incompatible) features are added in
>> newer versions,... nobody has to use that newer versions, right?
>
> If you put GnuPG 3.0 available for download, everyone who's looking for the
> latest relea
On Mon, Apr 14, 2008 at 08:43:14PM -0500, Robert J. Hansen wrote:
> Herbert Furting wrote:
> > gpg is probably THE main implementation of OpenPGP (sorry to the
> > commercial PGP folks ;) ),... as such I think it should support most
> > of the stuff from OpenPGP, or not?
>
> Depends on who you as
On Mon, Apr 14, 2008 at 11:22:59PM +0200, Herbert Furting wrote:
> > > While the standard seems to allow this,.. gpg does not (it won't sign a
> > > UID
> > > when the a self-sig has been revoked before).
> > > How can I solve this?
> > GPG allows this. Add "--expert" to your command line when y
On Tue, Apr 15, 2008 at 02:31:07AM +0200, Herbert Furting wrote:
> On Mon, 2008-04-14 at 18:06 -0500, Robert J. Hansen wrote:
> > 1. You didn't ask for the option to allow zero-length UIDs. If you'd
> > asked for that option, I would have given it. You asked "why does
> > GnuPG have a m
On Tue, 15 Apr 2008 15:03, [EMAIL PROTECTED] said:
> This is how GnuPG was developed, by and large. In the very early days,
> GnuPG supported only the bare minimum necessary to conform to the RFC.
> Features like Twofish support were not added until the MUSTs were well
Actually GnuPG predates Op
1) This is the cost of advance...
2) btw: I've never said that one mustn't provide backward compatibility.
Of course there are things that would break that (e.g. use something
else than SHA1 for fingerprints) but my ideas about how to interpret
the standard, and where to put some subpacktes wouldn'
Why? Just because new (perhaps incompatible) features are added in
newer versions,... nobody has to use that newer versions, right?
If you put GnuPG 3.0 available for download, everyone who's looking for
the latest release will grab it. The people who are quite happy with
1.2, 1.4 or 2.0 won'
On Tue, Apr 15, 2008 at 3:03 PM, Robert J. Hansen <[EMAIL PROTECTED]> wrote:
> One of the best techniques available to us for controlling complexity in
> software--and definitely the simplest--is to take a chainsaw to the
> feature list. Go through the specification and copy down every single
>
Herbert Furting wrote:
The standard allows for terabit RSA keys. Should GnuPG allow them?
Yes why not,... but only in an expert mode.
You may want to consider re-reading your answer a few times and asking
yourself, "why do I feel this way, and why do other people feel the way
they do?" It m
Herbert Furting schrieb:
But imagine the following:
Yours: 3DES, AES256
Mine: AES256, 3DES
Which one is chosen now? But when I only include AES256 I can at least
somewhat control it.
If *you* send, it is AES; if RJH sent, it would be 3DES.
It doesn't matter if your key indicates a preference
Herbert Furting schrieb:
Ah you think cryptography is engineering? Always thought it would be math.
Implementing crypto is purest engineering.
Not even algorithm design is pure math if you think of timing or power
consumption attacks that might have to be considered.
Anyway if we always say
On Tue, Apr 15, 2008 at 3:43 AM, Robert J. Hansen <[EMAIL PROTECTED]> wrote:
> > While this doesn't make sense ("nothing" is bound to the key) it
> > wouldn't hurt either.
> It violates a de-facto standard. That hurts.
Don't see why,.. but... however.
> > I just think, that an implementation sho
Robert J. Hansen (15.04.2008 06:06):
> ... Rijndael is AES, incidentally. Rijndael was the name it was
> submitted under to the AES competition. Once it was chosen as the
> winner, it became AES. And yes, I have seen people passionately
> advocating for the inclusion of Rijndael in OpenPGP, desp
Herbert Furting wrote:
> While this doesn't make sense ("nothing" is bound to the key) it
> wouldn't hurt either.
It violates a de-facto standard. That hurts.
> I just think, that an implementation should not forbid things, that
> are allowed by the standard.
The standard allows for terabit RS
On Mon, 2008-04-14 at 18:08 -0500, Robert J. Hansen wrote:
> Herbert Furting wrote:
> > Ah thanks,.. wouldn't it make sense to merge this with the expert flag?
>
> Yes. No. Maybe.
That's a word.
> > So as far as I understand,.. I should actually gain some security, at
> > least from the point
On Mon, 2008-04-14 at 18:06 -0500, Robert J. Hansen wrote:
> 1. You didn't ask for the option to allow zero-length UIDs. If you'd
> asked for that option, I would have given it. You asked "why does
> GnuPG have a minimum size of five characters", "is this imposed by
> RFC4880", and
Herbert Furting wrote:
> Ah thanks,.. wouldn't it make sense to merge this with the expert flag?
Yes. No. Maybe.
HCI (Human-Computer Interaction) is an infamously black art. What one
person thinks is the most obvious set of options for them is a Byzantine
kludge to another.
It might make sens
Herbert Furting wrote:
>>> 1) When creating a new UID, why does gpg have a minimum size of 5
>>> characters? This is not imposed by RFC4880? Where can I report
>>> this bug.
>>
>> It's not a bug. It's a deliberate design decision on the part of
>> the GnuPG authors.
>
> Uhm,.. apart from the
On Mon, 2008-04-14 at 12:19 -0500, Robert J. Hansen wrote:
> > 1) When creating a new UID, why does gpg have a minimum size of 5
> > characters? This is not imposed by RFC4880? Where can I report this bug.
> It's not a bug. It's a deliberate design decision on the part of the
> GnuPG authors.
Uhm
Hi David.
On Mon, 2008-04-14 at 13:41 -0400, David Shaw wrote:
> Not a bug. It's there to protect people from making poor UIDs. you
> can turn off the check with --allow-freeform-uid.
Ah thanks,.. wouldn't it make sense to merge this with the expert flag?
> > While the standard seems to all
On Mon, Apr 14, 2008 at 04:46:33PM +0200, Herbert Furting wrote:
> Hi list.
>
> I've got some questions...
>
> 1) When creating a new UID, why does gpg have a minimum size of 5
> characters? This is not imposed by RFC4880? Where can I report this bug.
Not a bug. It's there to protect people fro
Herbert Furting wrote:
> 1) When creating a new UID, why does gpg have a minimum size of 5
> characters? This is not imposed by RFC4880? Where can I report this bug.
It's not a bug. It's a deliberate design decision on the part of the
GnuPG authors.
> 2) I have a key that is already published to
Hi list.
I've got some questions...
1) When creating a new UID, why does gpg have a minimum size of 5
characters? This is not imposed by RFC4880? Where can I report this bug.
2) I have a key that is already published to keyservers. Unfortunately it
uses old SHA1 as hasing algorithm.
Now I want
41 matches
Mail list logo
