Hello,
I hope you can give me some advice on the following problem:
We have a OpenPGP key which we use for signing our software releases.
That key should be changed yearly and carry an expiration date to
enforce this change. However, for the signatures to be useful, the key
has to be signed by qu
On Thu, 5 May 2011 08:52, aheinl...@gmx.com said:
> We have a OpenPGP key which we use for signing our software releases.
> That key should be changed yearly and carry an expiration date to
> enforce this change. However, for the signatures to be useful, the key
> has to be signed by quite a lot
On 05/04/2011 11:34 PM, Robert J. Hansen wrote:
> For the better part of a decade now I've volunteered to publish my private
> certificate in the _New York Times_ if someone will pay for the advertising
> space. With a strong passphrase that's not known to anyone else, the private
> certificate
> The internet seems like a wider (and cheaper) distribution method than
> the NYT. So what are you waiting for? I hereby volunteer to cover your
> costs for posting your secret key to this mailing list :P
The instant a test costs someone money, they have a financial interest in
making sure the
Am Donnerstag, 5. Mai 2011, 11:19:30 schrieb Werner Koch:
> A
> period key change is problematic because it confuses those who want to
> verify the signatures.
>
> BTW, the prolongation of the expiration time has showed (by means of a
> lot of complaining mails) that many folks don't refresh the
On Thu, 5 May 2011 17:07, mailinglis...@hauke-laging.de said:
> Are there people who check the subkey IDs of old and new signatures, get
> confused by a change despite of gpg saying it's all right (which IMHO demands
> they have not understood the concept of subkeys)?
No they are confused that
Hauke Laging wrote:
>
> BTW: Would it be a good idea for gpg to suggest the user to check for an
> updated version of the key (or do it automatically before if configured to do
> so) if it find an expired subkey? This would probably not work with the GUIs
> though (but might make the GUI develo
On Thu, 05 May 2011 09:15:40 -0400, Daniel Kahn Gillmor
wrote:
> The internet seems like a wider (and cheaper) distribution method than
> the NYT. So what are you waiting for? I hereby volunteer to cover your
> costs for posting your secret key to this mailing list :P
Should we start a pot?
j
On 5/5/11 2:52 AM, Andreas Heinlein wrote:
> Hello,
>
> I hope you can give me some advice on the following problem:
>
> We have a OpenPGP key which we use for signing our software releases.
> That key should be changed yearly and carry an expiration date to
> enforce this change. However, for th
Forgive the simple gpg syntax issue,
I have
gpg --verbose --trust-model always --yes --armour --recipient X_UCLA
--encrypt $T1
which encrpts a file , I would like to sign it in the same command , I would
like the output
to be $T1.asc
if I sign it seperately :
gpg -u UCLA_XX2009 --
Am Donnerstag, 5. Mai 2011, 20:40:03 schrieb Yard, John:
> which encrpts a file , I would like to sign it in the same command ,
This is done by putting --encrypt and --sign into a single command.
> I would like the output to be $T1.asc
This can be controlled by --output.
Hauke
--
PGP: D44C
On 05/04/2011 23:52, Andreas Heinlein wrote:
We have a OpenPGP key which we use for signing our software releases.
That key should be changed yearly and carry an expiration date to
enforce this change.
What are you trying to accomplish by doing it this way? I've yet to see
a good rationale for
Yard, John wrote:
> Forgive the simple gpg syntax issue,
>
> I have
>
> gpg --verbose --trust-model always --yes --armour --recipient X_UCLA
--encrypt $T1
>
> which encrpts a file , I would like to sign it in the same command , I would
like the output to be $T1.asc
>
gpg -v --yes --trust-
Thank you JYard
-Original Message-
From: John Clizbe [mailto:j...@enigmail.net]
Sent: Thursday, May 05, 2011 1:18 PM
To: GnuPG Users
Cc: Yard, John
Subject: Re: simple gpg syntax question
Yard, John wrote:
> Forgive the simple gpg syntax issue,
>
> I have
>
> gpg --verbose --trust-mo
On Thu, May 5, 2011 at 19:21, Jon Drukman wrote:
> On Wed, May 4, 2011 at 5:44 PM, Jerome Baum wrote:
>
>> Again, what if the keyring is already in place? Could even be yourself --
>> you create the keyring once, import the public key at the time, then later
>> update the public key and import a
On Thu, May 5, 2011 at 16:11, Robert J. Hansen wrote:
> Or, put another way, if I do it for free few people but me
> will be convinced.
>
So, put out a bounty.
> If I for a second thought that by posting my (well-secured!) private
> certificate to the Net I could convince people of the effecti
On Thu, May 5, 2011 at 15:15, Daniel Kahn Gillmor wrote:
> PS If Robert follows through on this, he certainly wouldn't be the only
> person to publish his secret key. Search for "BEGIN PGP PRIVATE KEY
> BLOCK" in your favorite search engine.
>
I do wonder how many of those are to make past signa
> So, put out a bounty.
You're the one who's talking about basic economics, so let's apply some:
You want me to put my own money at risk (an incredibly small risk, yes, pretty
close to epsilon: but not a zero risk) in order so other people can feel better
about their GnuPG installations -- but
Does having possession of your secret key really make you less secure?
I mean the whole purpose of a passphrase is because you assume your
secret key is *not* safe simply being unprotected in your possession.
Law enforcement, hackers, even friends could *easily* get physical
access to your key so i
> For the latter, I don't get it -- it's not like keeping the key secret takes
> a lot of effort -- but it does decrease your security ever so slightly.
> Besides proving a point, why would you publish?
Because the _New York Times_ keeps records of all the papers it's ever
published. It can be
On Fri, May 6, 2011 at 00:45, Anthony Papillion wrote:
> Does having possession of your secret key really make you less secure?
>
Yes.
> I mean the whole purpose of a passphrase is because you assume your
> secret key is *not* safe simply being unprotected in your possession.
Law enforcement,
On Fri, May 6, 2011 at 00:46, Robert J. Hansen wrote:
> Because the _New York Times_ keeps records of all the papers it's ever
> published. It can be seen as a highly effective, if low-tech, long-term
> archival solution. Paperkey the private certificate, publish it in the NYT,
> verify the acc
On Fri, May 6, 2011 at 00:43, Robert J. Hansen wrote:
> > So, put out a bounty.
>
> You're the one who's talking about basic economics, so let's apply some:
>
> You want me to put my own money at risk (an incredibly small risk, yes,
> pretty close to epsilon: but not a zero risk) in order so othe
>
> On Fri, May 6, 2011 at 01:32, Jerome Baum wrote:
On Fri, May 6, 2011 at 01:31, Jerome Baum wrote:
>
>>
>>> > Posting the key here is free, you say. So, there is no contra. Just go
>>> post it. Basic economics...
>>>
>>> First, I didn't say it. Daniel said it.
>>>
>>
>> Sorry about that one.
> Totally OT, but can you think of an example that is entirely free? As in,
> zero theoretical cost?
Space. I'm perfectly happy to sell you a cubic meter of space somewhere within
a lightyear of Betelgeuse.
Before anyone thinks I'm being sarcastic, I'm not. That's a frank and honest
answer t
> When I post the second follow-up to my own email, it's time to go to sleep.
> Here you go:
>
> Or, put another way, if I do it for free few people but me
> will be convinced.
>
> So, Robert did say it.
Only if you assume that I meant "for free" as in "without cost to myself" --
which, as I h
On Fri, May 6, 2011 at 01:31, Jerome Baum wrote:
>
>> > Posting the key here is free, you say. So, there is no contra. Just go
>> post it. Basic economics...
>>
>> First, I didn't say it. Daniel said it.
>>
>
> Sorry about that one. Ignore the point then -- you obviously "get"
> economics and I
How about putting it on to twitter so it can be archived into the LOC?
On May 5, 2011, at 6:46 PM, Robert J. Hansen wrote:
>> For the latter, I don't get it -- it's not like keeping the key secret takes
>> a lot of effort -- but it does decrease your security ever so slightly.
>> Besides provin
On Fri, May 6, 2011 at 01:43, Robert J. Hansen wrote:
> > Totally OT, but can you think of an example that is entirely free? As in,
> zero theoretical cost?
>
> Space. I'm perfectly happy to sell you a cubic meter of space somewhere
> within a lightyear of Betelgeuse.
>
> Before anyone thinks I'
> Nonetheless, it gets incredibly close. I wonder if there might be a cost
> involved with acquiring anything -- at the very least, you have to make the
> decision to acquire it.
Necessarily there must be. Free trade depends on value differentials, after
all. If I have a candy bar that I thin
On Fri, May 6, 2011 at 02:19, Robert J. Hansen wrote:
> > Nonetheless, it gets incredibly close. I wonder if there might be a cost
> involved with acquiring anything -- at the very least, you have to make the
> decision to acquire it.
>
> Necessarily there must be. Free trade depends on value di
On Thu, May 5, 2011 at 4:10 PM, Doug Barton wrote:
> On 05/04/2011 23:52, Andreas Heinlein wrote:
>>
>> We have a OpenPGP key which we use for signing our software releases.
>> That key should be changed yearly and carry an expiration date to
>> enforce this change.
>
> What are you trying to acco
Am 05.05.2011 22:10, schrieb Doug Barton:
> On 05/04/2011 23:52, Andreas Heinlein wrote:
>> We have a OpenPGP key which we use for signing our software releases.
>> That key should be changed yearly and carry an expiration date to
>> enforce this change.
>
> What are you trying to accomplish by doi
33 matches
Mail list logo
