Hi Berhnard--
On 08/27/2009 01:36 PM, Bernhard Kuemel wrote:
> It appears the key expiration is part of the signatures. Will the most
> recent signature have the effective expiration date?
yes, the most recent certification made by the same issuer on a given
subject is considered to supercede all
On 08/27/2009 03:30 PM, Bernhard Kuemel wrote:
> Ok, great. Could I also sign my key after it expired with a new
> expiration period to revive it?
Yes, i'm pretty sure you can do this, but i always take pains to try to
update the expiration date *before* it passes ;)
--dkg
signature.as
On 09/09/2009 09:45 PM, David Shaw wrote:
> Instead of giving my preferences,
> allow me to point at the wonderful defaults in GPG. They're the default
> algorithms for a reason.
I've asked this before, but without any satisfactory answer, i'm still
curious: Why do the digest defaults in 1.4.10
On 09/10/2009 10:54 AM, Robert J. Hansen wrote:
> On Thu, 2009-09-10 at 14:02 +0200, Philippe Cerfon wrote:
>> I thought the key ID is only used for humans to short check the
>> keys,.. but not in the system itself?!
>
> Nope, it's pretty pervasive in the system.
Unless i misunderstand the contex
On 09/10/2009 06:32 PM, Christoph Anton Mitterer wrote:
> 3) One problem with such devices is,.. that one can never know (well at
> least normal folks like me) how good they actually are.
> If this company would be evil (subsidiary of NSA or so) they could just
> sell bad devices that produce poor
On 09/10/2009 10:23 PM, David Shaw wrote:
> "Could" is a very powerful word. At some point, people have to buy and
> run the closed-source hardware they need to run their open-source
> software on :)
Agreed! I was just pointing out that the lack of true entropy might not
be as obvious as the pro
when encrypting messages to a user ID with multiple matching keys with
full calculated validity, gpg seems to just choose the "first" matching
key, for some definition of "first" -- i think it's decided by
chronological age of first import into the local keyring.
This does not seem to be the best
On 09/22/2009 04:57 PM, John W. Moore III wrote:
> Like GPG it utilizes the 1st encountered Key that matches the Send To:
> address & is valid.
this is not what gpg does. gpg simply chooses the first key with a
matching user ID, whether or irrespective of the calculated validity of
the User ID in
On 09/22/2009 04:09 PM, John W. Moore III wrote:
> John Clizbe wrote:
>
>> IIRC, it's the first usable key with a matching User ID. Period. First one it
>> can use.
thanks for catching that, John. It appears that if the first key with a
matching User ID doesn't have full calculated validity, the
arbitrary bubble-sort-ish reorderings with this
primitive, too; is there another way?)
c) that gpg is even willing to settle on a key with a matching User ID
with no calculated validity (e.g. if i added a user ID of "Daniel Kahn
Gillmor " to my key, even if no one else
certified it, then anyo
On 09/22/2009 07:16 PM, David Shaw wrote:
> It doesn't work that way. The default is "the first valid key". It's
> been that way in the PGP world since before GPG as a product was
> written. If you want to propose a specific alternative, I'm ready to
> listen, but I'm not going to defend the def
On 09/23/2009 12:17 PM, Werner Koch wrote:
> Please keep in mind that using a user ID is just to help the user in the
> most common case. Any proper mail tool won't accept such a solution but
> either presenr the user a list of matching keys and let him select a key
> or auto select the key based
On 09/23/2009 06:04 PM, Ingo Klöcker wrote:
> I'm pretty sure that this will break horribly as soon as the user ID
> contains non-ASCII characters (as does my user ID). For exactly this
> reason I made KMail use the key ID instead of the user ID about 7 years
> ago.
What makes you think that no
On 09/24/2009 04:56 PM, Ingo Klöcker wrote:
> Does it also work with keys like 0xCB0D4CAF or 0xAB1BC4E6 created with
> PGP 6 (or earlier) where the user ID is not UTF-8 encoded?
hm; 0xCB0D4CAF looks to me like it expired 5 years ago; and 0xAB1BC4E6
doesn't appear to be available on the public ke
On 09/25/2009 11:06 AM, David Shaw wrote:
> What troubles me about this sort of behavior is that it is genuinely
> good and helpful in some cases and baffling and off-putting in others.
> For example, someone has two different Alice keys in their keyring.
> Both keys have a single UID, which is s
On 09/25/2009 02:40 PM, Ingo Klöcker wrote:
> 0xF661F608 (This is _not_ one of my keys. Funny enough this Ingo Klöcker
> went to the same school and the same university as I did.)
>
> 0x104B0FAF, 0x5706A4B4, 0xD96484AC, 0x7C52AC99, 0xAFA03822, 0x91190EF9
> (this last one is definitely still in u
Thanks for the discussion, Ingo! This is really useful to me, and i
appreciate the thought you've obviously put in here.
On 09/29/2009 04:32 PM, Ingo Klöcker wrote:
> She creates a new key, but Bob
> continues to use the old key. Unless Bob automatically imports unknown
> keys, he will notice t
On 09/30/2009 05:27 AM, Chris Sutton wrote:
> It appears as if GPG is putting slightly different binary data into the
> ASCII-armored version as into the direct binary output. Is this possible?
OpenPGP encryption is a hybrid model:
first, a random session key is generated.
then the random sess
On 09/30/2009 05:32 PM, Ingo Klöcker wrote:
> Hmm, AFAIU, for someone who does not blindly certify such keys this
> shouldn't be a problem since those malicious keys wouldn't be valid and
> thus wouldn't take preference over a valid key ... unless somebody else
> this person trusts is trying to
Hi Connie--
On 10/14/2009 01:55 PM, CONNIE RODRIGUEZ wrote:
> + /usr/local/bin/gpg -e -r REWARD
> /law/test/law/test/interface/watsonwyatt/data/epay.txt
> gpg: WARNING: unsafe permissions on configuration file
> `/home/lawhr/.gnupg/gpg.conf'
This suggests that your configuratio
Hi Connie--
I'm glad that was useful.
On 10/14/2009 05:07 PM, CONNIE RODRIGUEZ wrote:
> I attempted key signing but was not successful. I received the following
> output:
>
> [la...@lsftest1/usr/local/bin # ./gpg --edit-key REWARD
> pub 1024D/C2126D6D created: 2009-02-23 expires: never
On 10/30/2009 02:10 PM, Faramir wrote:
> In the hypothetical case I want to encrypt a file, using 3DES symmetric
> algo, and without using asymmetric encryption (the file would just be
> encrypted with 3DES and a password provided by the user), how would it
> be the syntax I must enter? I rea
On 11/14/2009 01:45 PM, Susan Stewart wrote:
> I'm filing a bug for my IM client (Gajim) because it currently only
> allows sending of encrypted and/or signed presence or messages to
> contacts whose keys I trust ultimately (trust level 5). The
> documentation at http://gnupg.org/gph/en/manual.htm
On 11/21/2009 01:48 PM, ratzip wrote:
> If some one has signed my key and set the trust level
> on my key, how could I check the trust level he set?
> which commands should I use?
For the typical way that GPG manages ownertrust, that information is not
published (or publishable) at all.
In the un
On 11/23/2009 07:17 AM, kuttuani wrote:
> I have GNUPG versions 1.2 and 1.4 installed on two servers A and B
> respectively.
>
> I got a gpg key from a client, i imported it on Server B with out any error
> messages and I am able to encrypt and decrypt data.
>
> but on server A iam getting many e
On 11/30/2009 03:05 PM, Alan Batie wrote:
> I've searched around and can't seem to find anything to dump a gpg
> message for debugging, but I have a hard time believing there isn't
> something like that. I simply want to see who it was encrypted to, as
> I'm getting complaints that messages sent t
On 11/29/2009 04:51 PM, wavelength wrote:
> Can someone explain why large segments within the ASCII armored key blocks of
> Fedora 11 & 12 match? Attached below are the respective key blocks. Two
> matching regions between the blocks are highlighted with bold arrows.
These blocks are actually cert
On 12/08/2009 09:13 PM, BlueGnu wrote:
> gpg command line and output:
> /usr/bin/gpg
> gpg: /home/administrator/.gnupg/gpg.conf:243: invalid option
> gpg: /home/administrator/.gnupg/gpg.conf:244: invalid option
And what is on lines 243 and 244 of the file
/home/administrator/.gnupg/gpg.conf ?
On 12/14/2009 11:26 AM, Werner Koch wrote:
> On Mon, 14 Dec 2009 09:46:44 -0500 (EST), Gary Hanley wrote:
>
>> Where do I find information about the "D" in "1024D" and the "g" in
>> "4096g"? What are the other potential values?
>
> In the source ;-). gnupg/g10/keyid.c:
maybe this info could go
On 12/15/2009 06:05 PM, Robert J. Hansen wrote:
> A "public key" usually has a lot more data than just the key material.
> User IDs and signatures are usually present, too. Some users even
> include a JPEG of themselves in their key.
If you're interested in making those unintelligible lines more
Hi taurus--
On 01/05/2010 08:13 PM, taurus wrote:
> I am trying to change the expiration time of 2 sub-keys with no success.
> I edit the main key and with command expire I selected the uid(s)
sub-keys are not bound to any particular uid ("user id"), but rather to
the primary key itself. select
On 01/06/2010 12:59 AM, taurus wrote:
> I succeed to change the expiration date of the subkeys when I use the
> 'key 1' and 'key 2' command. Before I was using only 1,..2,...
great!
> On 6 January 2010, at 05:34, Daniel Kahn Gillmor wrote:
>> is there
On 01/06/2010 04:16 PM, Andre Amorim wrote:
> What are your thoughts about that ?
>
> http://www.cs.rice.edu/~mtd3/comp527/comp527presentation.pdf
Interesting! thanks for pointing it out.
I like the idea of using Facebook as a transport/distribution mechanism.
I'm less confident in their use
On 01/07/2010 04:36 AM, makrober wrote:
> *Most individuals will rarely, if ever, be motivated to communicate
> in secrecy with someone they don't already have a trusted
> relationship with*.
I beg to differ. anyone who has ever conducted online business has a
strong incentive for communications
On 01/07/2010 11:50 AM, Alex Mauer wrote:
> Many people have correspondence with people they never have and never
> will meet in person, and knowing that it’s always the same person is
> still helpful.
agreed, key continuity checking is itself a useful tool, and maybe more
OpenPGP implementations
Hi Tobias--
On 01/15/2010 04:24 AM, Tobias wrote:
> Why do I get a passphrase ("3ity") which I can't remember having ever
> used in my life? Why does gpg regard it as correct but still not decrypt
> my file? And apart from these somewhat academical questions: Is there a
> way I can use the half-co
Hi Tobias--
On 01/16/2010 09:03 PM, Tobias wrote:
> thank you for your answer, it helped me a lot.
You're welcome! Glad to be helpful.
> The thing I'm unsure about is which parts of the decryption process I'd
> have to apply in order to safely discriminate positives from negatives.
> As far as
On 02/25/2010 11:59 AM, Carlos Chavez wrote:
> I have to write the whole email manually in PHP because the PEAR libraries for
> Mime do not quite get the headers right
Please file bugs against the PEAR libraries in question so that they can
be fixed. Thanks!
Regards,
--dkg
signature
On 03/03/2010 11:16 AM, Mark H. Wood wrote:
> On Fri, Feb 26, 2010 at 03:53:27PM +, MFPA wrote:
>> There are privacy issues, especially if user-ids on the key contain
>> email addresses. In some cases, the authorities knowing an individual
>> used encryption could be a problem.
>
> There are i
On 03/04/2010 08:18 AM, erythrocyte wrote:
> And here's the output of the last command:
>
> gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
> gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
> gpg: next trustdb check due at 2011-03-03
>
> It
On 03/04/2010 01:12 PM, David Shaw wrote:
> On Mar 4, 2010, at 8:18 AM, erythrocyte wrote:
>> gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
>> gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
>> gpg: next trustdb check due at 2011-03-03
>
> I
On 03/04/2010 01:01 PM, Grant Olson wrote:
> On 3/4/2010 12:45 PM, Daniel Kahn Gillmor wrote:
>> I'm also not sure what the "signed: 128" suggests in the "depth: 1"
>> line. Surely of all 83 keys i've certified, they have collectively
>> iss
On 03/05/2010 01:30 AM, Smith, Cathy wrote:
> The gpg --list-sig shows that the keys are signed. Do I need to create a
> new signature key, and re-sign all the public keys that I imported?
I think the simplest thing for you to do is to modify the ownertrust of
your old signing key on the new in
On 03/16/2010 10:02 AM, Grant Olson wrote:
> A while ago I stumbled onto instructions to up my prefs to use a better
> hash than SHA1:
>
> http://www.debian-administration.org/users/dkg/weblog/48
Hi Grant, i'm the author of that post.
> Today I was surfing around, and saw some relatively recent
On 04/23/2010 11:24 PM, Faramir wrote:
> Well, I don't know anything about development plans, I think it is
> very likely we won't see ecc implemented in GnuPG _unless_ it is
> included first in OpenPGP standard. If GnuPG implements ecc before it
> becomes standard, we would get keys that would o
Hi Jeff--
On 04/27/2010 02:52 PM, Jeff Sadowski wrote:
> Is there an option to change the format of the time?
> While reading the manual I could not find it.
if you are mechanically parsing the output of gpg, you probably want to
use --status-fd or --status-file and compare the info from there.
On 05/06/2010 10:43 PM, Hauke Laging wrote:
> It says SHA1 though according to my understanding
>
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v2.0.14 (GNU/Linux)
>
> iQFMBAABAgA2BQJL43F6LxpodHRwOi8vd3d3LmhhdWtlLWxhZ2luZy5kZS9vcGVu
> cGdwL3BvbGljeS5odG1sAAoJEDlYRfZ/Y35735kIAIP2LgRqxhySQ0kaOSn
On 05/08/2010 12:26 PM, Stephane Dupuis wrote:
> $ gpgsm -K
> gpgsm[5195]: can't connect to `/home/hoper/.gnupg/S.gpg-agent': Aucun
> fichier ou dossier de ce type
> /home/hoper/.gnupg/pubring.kbx
> --
>ID: 0xC8ACF3C4
> S/N: 01
>Issu
On 05/09/2010 04:40 AM, Charly Avital wrote:
> Yes, you can gnerate a new key pair with the same user ID email, the key
> server will accept it. Do not forget to generate a revocation
> certificate and to store in a safe place.
Yup, Charly is correct about this. You can actually have as many keys
On 05/09/2010 05:10 PM, Faramir wrote:
> But comments field is for comments, not for identity information, so I
> don't see any problem in adding a hint so people can know "which key
> should I use?".
OK, but how many such comments should we use? (see below...)
> Good question, but, since th
On 05/11/2010 07:22 PM, markus reichelt wrote:
> * Alex Mauer wrote:
>
>>> Nope. More to the point, think about people having both private UID
>>> and business UID on the same key - the way you describe it could mix
>>> things up badly.
>>
>> How so? There's no connection between UIDs and keys..
On 05/11/2010 05:02 PM, markus reichelt wrote:
> Nope. More to the point, think about people having both private UID
> and business UID on the same key - the way you describe it could mix
> things up badly.
But UIDs aren't bound to subkeys (they're bound to the primary key, just
as the subkeys are
On 05/11/2010 07:42 PM, Joke de Buhr wrote:
> The encrypt-to-all-encryption-capable-subkeys ensures that the owner of the
> primary key will always be able to decrypt the message no matter what (not-
> revoke) encryption key secrets he can access at the moment.
yup, i think this is a good argumen
On 05/12/2010 02:06 PM, MFPA wrote:
> Although the comment could just state it was his new key from
> dd/mm/ without mentioning any other key(s).
even this comment would be superfluous, since the key has a "Created on"
timestamp built in. Also, his statement isn't really part of a person's
id
On 05/17/2010 12:47 PM, MFPA wrote:
> Nearly 20% of the keys in my keyring have something in the User ID
> that is clearly not part of a person's identity.
>
> What would you say was a non-dubious use of the "comment" field within
> the User ID?
I've been asking myself the same question; i haven'
On 05/29/2010 08:47 PM, Dan Mahoney, System Admin wrote:
> On Sun, 30 May 2010, Michael D. Berger wrote:
>> Now in the context in which this is being used, there is no
>> uncertainty regarding key ownership, and the encryption is
>> part of a bash script. The query stops the script.
>>
>> Therefor
Hi Joke--
On 06/10/2010 11:22 AM, Joke de Buhr wrote:
> I never said this particular spam message was not caused by someone scanning
> the keyserver. I only stated it isn't that common and never happened to me.
>
> The chance someone harvesting your email address through keyserver scanning
> is
On 06/10/2010 11:57 AM, Joke de Buhr wrote:
> You do not sacrifice legitimate incoming mail because there is an RFC that
> clearly states mailservers do not operate from dynamic IP addresses.
> Therefore
> they can not be considered valid.
Please cite this RFC. All IP addresses are "dynamic" i
On 06/04/2010 01:35 PM, Micah Anderson wrote:
> It seems like the best solution would be to build into gnupg the functionality
> that is similar to the automatic trust database operation: have gpg
> auto-refresh
> from the configured keyserver periodically.
I think something like this would be a
On 06/14/2010 12:50 PM, Daniel Kahn Gillmor wrote:
> * discard all certifications which are larger than some
sorry, this thought didn't get finished. it should have said:
* discard all certifications which are larger than some pre-defined
value (e.g. do no not bother processing certif
On 06/14/2010 07:54 PM, MFPA wrote:
> On Monday 14 June 2010 at 6:19:58 PM, in
> , Daniel Kahn Gillmor wrote:
>> The goal, again, is to avoid auto-refresh from chewing
>> up too much space on the local disk.
>
> Although, of course, the certifications are all part
On 06/16/2010 01:03 PM, MFPA wrote:
>> Plus, if we can demonstrate that GnuPG cares about
>> minimizing costs to the user in terms of disk space, we
>> also stand in a better rhetorical position to encourage
>> development (or adoption) of alternate keyserver fetch
>> requests that could apply simi
On 06/14/2010 12:30 PM, Honia A wrote:
>
> Hi, (i think i previously sent this question to the wrong mailinglist)
no, you went it on the right one first -- this is a gcrypt question, not
a gnupg question.
i've answered you on gcrypt-devel. Sorry that no one else has answered
in the meantime.s
Hi Prakash--
On 06/17/2010 09:59 AM, Gorugantu, Prakash wrote:
> Our project has a requirement where we need to pull a file using PGP
> encryption/decryption from one of our clients ftp servers. Please let us
> know if we can use GNUPG to encrypt/decrypt files with PGP. We read
> somewhere in you
On 06/17/2010 12:45 PM, Joke de Buhr wrote:
> Unlike PGP GnuPG is a non-commercial tool. There is no warranty. You can't
> sue
> anyone if GnuPG does not do what it's supposed to do.
If your goal is to be able to sue someone over proprietary software, i
strongly advise you to read the relevant E
On 06/21/2010 06:32 PM, David Shaw wrote:
> On Jun 21, 2010, at 6:11 PM, Alex Mauer wrote:
>
>> I see that there is currently the import-option "import-local-sigs"
>> which obviously allows the import of key-signatures marked non-exportable.
>>
>> It seems to me that it would be helpful to have a
On 06/22/2010 02:00 AM, Doug Barton wrote:
> What do you think "local" signatures are, and what do you think they
> mean? (And no, I'm not trying to be snarky, you're asking about
> "intuition," so it makes sense to address the base assumptions.)
non-exportable certifications are simply certificat
On 06/29/2010 03:40 PM, Carsten Aulbert wrote:
> My problem is relatively simple. We provide a (Debian) repository for our
> colleagues as well as ourselves and would like to sign it
[ ... ]
> Anyone with an idea how to accomplish this?
I maintain several signed apt repositories. I never for
On 06/30/2010 01:33 PM, Carsten Aulbert wrote:
> Thus maybe I should consider doing a 2-way sync:
If you're worried about collisions/race conditions, you could reduce the
race window to an arbitrarily small timeframe by having your sync
scripts hold an advisory lockfile on the public-facing machin
On 07/22/2010 04:19 PM, Andre Amorim wrote:
> Do we have a "plausibly deniable" option ?
Yes: do not sign your messages.
OpenPGP signatures are inherently designed to be non-repudiable. This
is not what you want if you want deniability.
--dkg
signature.asc
Description: OpenPGP digita
On 07/23/2010 09:51 AM, ved...@nym.hush.com wrote:
>> From: Andre Amorim
>> Do we have a "plausibly deniable" option ?
>
> [1] hiding the identity of the encryption:
>
> The 'throw-keyids' option hides which keys the message is encrypted to
[...]
> The government can claim, that in order to pro
On 07/23/2010 07:35 AM, m...@proseconsulting.co.uk wrote:
>> On Fri 23/07/10 11:48 AM , David Smith dave.sm...@st.com sent:
>>> I need to be able to ultimately trust a public key
>>> in batch mode, that I have downloaded automatically with wget from an
>>> internal server over HTTPS.
>>
>> I think
On 08/25/2010 12:18 PM, thomas weidner wrote:
> Hello,
>
> i started using gpg (with enigmail) today and found out i have
> already a key for my e-mail address on the key servers which i had
> completely forgotten about. Of cause i do have the private key for
> this old key any more. Therefore i c
On 08/25/2010 01:11 PM, Gregor Zattler wrote:
> Doesn't this open a denial of service attack vector on OpenPGPs
> PKI infrastructure? I could binary edit your key, the key server
> adds its.
You could also create bogus signatures that claim to be from
non-existent keys and upload them to the keys
On 08/25/2010 01:19 PM, Robert J. Hansen wrote:
> On 8/25/10 12:58 PM, Daniel Kahn Gillmor wrote:
>> keyservers do no cryptographic verification whatsoever. I think this is
>> (historically) for several reasons:
>
> [good reasons 0-3 skipped]
>
> 4) Asymmetric cryp
On 08/25/2010 03:28 PM, Grant Olson wrote:
> (1) Verifying that the keydata hasn't been tampered with, like editing
> in a hex editor?
this isn't very meaningful -- data is data, and you can't actually tell
if it's been touched by a hex editor.
> (2) Only accepting keydata that has been signed by
On 08/25/2010 07:45 PM, Chris Knadle wrote:
> There's a problem with this idea, which is that there's no opportunity to
> notify the client that there was a problem if the check is done /later/. If
> instead the computation is done at the time of the uploaded modification,
> then
> there's an
On 08/25/2010 07:27 PM, Grant Olson wrote:
> On 8/25/10 5:49 PM, Daniel Kahn Gillmor wrote:
>> And that's *just* for the self-signatures. Deciding how to cull the
>> non-self-signatures is an even larger can of worms.
>
> The one big use case people throw around
On 09/24/2010 09:36 AM, Simon Richter wrote:
> On Fri, Sep 24, 2010 at 02:15:24PM +0200, Vjaceslavs Klimovs wrote:
>> If I have multiple not related e-mail accounts, is it better to create
>> one key pair with multiple identities or a separate key pair for every
>> account?
note that if you want t
On 09/24/2010 10:30 AM, Simon Richter wrote:
> Of course. I was talking about data signatures, i.e. "I'm signing this
> with my work hat on".
ah, gotcha. sorry for the misunderstanding.
> The main use case I have is my Debian work -- when I sign a .changes
> file, the Debian archive will accept
ne.
>
> hashed subpkt 20 len 28 (notation: t...@example.org=test)
Weird. What am i doing wrong? what version of gpg are you using?
Here's my full transcript:
>> 0 d...@pip:~$ echo test | gpg --sign --set-notation 't...@example.org=test'
>> | gpg --list-packe
On 09/24/2010 12:57 PM, David Shaw wrote:
> Hmm. It's a v3 sig which can't carry a notation. Do you have force-v3-sigs
> set anywhere? Or any of the --pgpX options (which set force-v3-sigs) ?
yup, that was it. i don't recall putting that in my gpg.conf explicitly
-- it must have been there fr
On 09/24/2010 01:17 PM, Daniel Kahn Gillmor wrote:
> The attached patch clarifies things to my current understanding of them
> (but i might be wrong!)
hrm. g10/options.skel contains the following:
>> # By default GnuPG creates version 3 signatures for data files. This
>>
I just started with a clean gpg homedir, imported one key (my own), and
then imported the full keyring of all debian developers:
mkdir -m 0700 test
export GNUPGHOME=test
gpg --keyserver keys.gnupg.net ( --recv D21739E9
gpg --import < /usr/share/keyrings/debian-keyring.gpg
this last step impor
On 09/24/2010 02:32 PM, MFPA wrote:
> On Friday 24 September 2010 at 3:00:40 PM, in
> , Daniel Kahn Gillmor wrote:
> Vjaceslavs Klimovs wrote:
>>> It'd be nice if there was a signature notation that
>>> specifies which UID(s) this signature would be valid
>>&g
On 09/24/2010 09:54 AM, David Shaw wrote:
> On Sep 24, 2010, at 8:15 AM, Vjaceslavs Klimovs wrote:
>> Is it good idea to create 4096 bit keys when creating new key pair? I
>> read through archives on this mailing list, and it seems there is no
>> real disadvantages of doing so.
>
> It won't work w
On 09/27/2010 05:12 AM, David Smith wrote:
> Not truly "quantitative, but I notice a significant difference between
> encrypting emails to people with 1024-bit keys vs people with 4096-bit
> keys. I'd say that the difference is in the order 3-6 seconds.
ah, ok. i'll add encrypting messages to th
On 09/27/2010 10:55 AM, Jameson Rollins wrote:
> On Mon, 27 Sep 2010 16:28:07 +0200, Vjaceslavs Klimovs
> wrote:
>> 2048 bit keys are suitable - it's "user+sys" what matters in this case,
>> but not "real" by all means, as that includes waiting for passphrase
>> input too.
>
> I think this is re
On 09/24/2010 05:23 PM, Grant Olson wrote:
> I can test on a Motorola i1 (Boost' droid) with APG, but I'll only be
> able to do a stopwatch test. As far as I'm concerned, under one sec is
> good.
i'd be interested in seeing the results, even if the mechanism is clunky
(btw, you could also use a w
On 10/05/2010 12:21 PM, Max Burley wrote:
> I have two keys:
> - a personal key (used to sign this message); and
> - a business key.
>
> Inadvertently, I signed the business key with the personal key. Trying
> to remove that personal signature with delsig fails.
how does it fail?
to be clear, i
On 10/05/2010 09:57 PM, Larry Brower wrote:
> Have you verified it is trusted on the system you are trying to use it
> on? Perhaps the key isn't trusted.
This is not about trust for this key -- it is about validity.
The point is that the key does not have a valid binding to its User ID,
so encry
On 10/06/2010 01:19 PM, Benjamin Bressman wrote:
> If I use GnuPG to encrypt a file with multiple keys is it possible to
> remove one of those keys at a later date?
it's possible, but it's a bit clumsy. you could use gpgsplit to handle
the situation:
mkdir cleandir
cd cleandir
gpgsplit < $mes
On 10/11/2010 09:25 PM, Hauke Laging wrote:
> I just had the idea that it might be a good countermeasure against malicious
> software not to use a cached passphrase without any user interaction (and
> thus
> without user notice). A good compromise would be to open a dialog which does
> not ask
On 10/11/2010 10:20 PM, Robert J. Hansen wrote:
> On 10/11/2010 9:25 PM, Hauke Laging wrote:
>> I just had the idea that it might be a good countermeasure against
>> malicious software not to use a cached passphrase without any user
>> interaction (and thus without user notice).
>
> The most obv
On 10/11/2010 09:56 PM, Larry Brower wrote:
> This seems like something that would get really annoying really
> quickly. Why not just change settings to not cache the passphrase if
> you do not like using it this way ?
re-entering the passphrase each time is significantly more annoying than
confir
On 10/12/2010 12:34 AM, Robert J. Hansen wrote:
> Heck, this doesn't even defend against an *unprivileged* attack. Give
> me unprivileged access to your user account I'll edit your .profile to
> put a .malware/ subdirectory on your PATH and drop my trojaned GnuPG in
> there. Once the malware exec
On 10/12/2010 02:26 AM, Werner Koch wrote:
> On Tue, 12 Oct 2010 04:44, d...@fifthhorseman.net said:
>
>> (e.g. one process can send a simulated mouseclick to another process
>> pretty easily) but that doesn't mean no one is running with a
>
> The standard pinentry grabs mouse and keyboard and th
On 10/12/2010 02:46 PM, Werner Koch wrote:
> Anyway, if you are already have these permissions you can attack the
> keys with all kind of simple tricks. Thus it is mood.
i'm not convinced it's moot, especially if i understand the model you're
advancing for the agent for 2.1 correctly.
If i run t
On 10/13/2010 07:02 PM, MFPA wrote:
> The user can type their password once per session into a text file and
> paste it every time it is requested. This reduces the annoyance factor
> and does not train the user to constantly re-type the passphrase.
This strikes me as the worst suggestion on this
On 10/14/2010 04:31 PM, Grant Olson wrote:
> But ultimately once you start trying to fix the problem by offloading
> the checks to special hardware, you might as well just key a smart card
> reader with an integrated keypad. Then you can use a simple pin. Not
> quite as convenient as hitting Y/N,
401 - 500 of 930 matches
Mail list logo
