Bug#318587: gnupg: should encrypt to all subkeys
On Mon, 18 Jul 2005 11:36:20 +0200, Steinar H Gunderson said: > Well, s/both/all/. What is the disadvantage, if any? Overhead in size and performance. > Does it make much more sense having multiple subkeys, but in reality only use > one of them? I'm not sure if I catch the logic here :-) The subkeys are used for different operations (sign, authenticate, encrypt) and for key-rollover (to achieve a certain amount of PFS (perfect forward secrecy)). The latter actually requires that one does not encrypt to any older subkeys even if they are still valid - the owner of the key might have already deleted that key. Please continue the discussion on [EMAIL PROTECTED] I don't think it is appropriate for a BTS. Salam-Shalom, Werner -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#318587: gnupg: should encrypt to all subkeys
On Sun, 17 Jul 2005 16:54:44 +0200, Steinar H Gunderson said: > Well, does OpenPGP specify at all which subkeys to encrypt to? Is there a > good reason why GnuPG simply can't encrypt to both by default? No. Why only to both ot them? There are often more than just 2 non-expired encryption keys. > Mm, but then I'd have to revoke the old encryption subkey to work around what > I consider is a bug in GnuPG, and I'd hate accumulating cruft for such > reasons :-/ For sure that is not a bug. Using the latest valid encryption subkey is what almost everyone would expect. Anything elese does not make much sense. Whether something is a card key or a gpg-agent controlled key or a plain disk stored key or a PGP 8 key or ... is not visible to a someone going to encrypt to a key. Shalom-Salam, Werner -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#318587: gnupg: should encrypt to all subkeys
On Mon, Jul 18, 2005 at 07:55:57AM +0200, Werner Koch wrote: >> Well, does OpenPGP specify at all which subkeys to encrypt to? Is there a >> good reason why GnuPG simply can't encrypt to both by default? > No. Why only to both ot them? There are often more than just 2 > non-expired encryption keys. Well, s/both/all/. What is the disadvantage, if any? > For sure that is not a bug. Using the latest valid encryption subkey > is what almost everyone would expect. Anything elese does not make > much sense. Does it make much more sense having multiple subkeys, but in reality only use one of them? I'm not sure if I catch the logic here :-) > Whether something is a card key or a gpg-agent controlled > key or a plain disk stored key or a PGP 8 key or ... is not visible to > a someone going to encrypt to a key. Yes, that is _exactly_ my point, and which is why it should encrypt to all available subkeys by default :-) /* Steinar */ -- Homepage: http://www.sesse.net/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#318587: gnupg: should encrypt to all subkeys
On Sun, Jul 17, 2005 at 04:00:59PM +0200, Werner Koch wrote: > Add: > > encrypt-to 12345678! > encrypt-to 9abcdef0! > > to your gpg.conf. The two keys are the keyIDs of the respective > subkeys. Don't forget the exclamation mark to force gpg to use > excactly these subkeys. That doesn't help me at all, of course -- I very rarely encrypt stuff to myself. > You can't however force others to encrypt to a specific key; this is > not defined by OpenPGP and we don't implement the highly questionable > ARR PGP provides. Well, does OpenPGP specify at all which subkeys to encrypt to? Is there a good reason why GnuPG simply can't encrypt to both by default? > Another way to solve this is by generating the key on the host and > transferring a copy to the smartcard. Off-card generation is actually > the default for smartcard encryption keys. Mm, but then I'd have to revoke the old encryption subkey to work around what I consider is a bug in GnuPG, and I'd hate accumulating cruft for such reasons :-/ /* Steinar */ -- Homepage: http://www.sesse.net/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#318587: gnupg: should encrypt to all subkeys
On Sat, 16 Jul 2005 12:45:35 +0200, Steinar H Gunderson said: > When encrypting to a master key with multiple encryption subkeys, GPG > currently signs to only the newest one. In my case, one is available on > my home computer (which does not always have a smart card reader > attached), and the other one is available on a smart card only -- in > other words, I would really like all messages encrypted to both by default. Add: encrypt-to 12345678! encrypt-to 9abcdef0! to your gpg.conf. The two keys are the keyIDs of the respective subkeys. Don't forget the exclamation mark to force gpg to use excactly these subkeys. You can't however force others to encrypt to a specific key; this is not defined by OpenPGP and we don't implement the highly questionable ARR PGP provides. Another way to solve this is by generating the key on the host and transferring a copy to the smartcard. Off-card generation is actually the default for smartcard encryption keys. Salam-Shalom, Werner -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#318587: gnupg: should encrypt to all subkeys
Package: gnupg Version: 1.4.1-1 Severity: wishlist When encrypting to a master key with multiple encryption subkeys, GPG currently signs to only the newest one. In my case, one is available on my home computer (which does not always have a smart card reader attached), and the other one is available on a smart card only -- in other words, I would really like all messages encrypted to both by default. -- System Information: Debian Release: testing/unstable APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.11.8 Locale: LANG=en_DK.UTF-8, LC_CTYPE=en_DK.UTF-8 (charmap=UTF-8) Versions of packages gnupg depends on: ii devfsd 1.3.25-23Daemon for the device file system ii libbz2-1.0 1.0.2-7 high-quality block-sorting file co ii libc6 2.3.5-1 GNU C Library: Shared libraries an ii libldap22.1.30-11OpenLDAP libraries ii libreadline55.0-10 GNU readline and history libraries ii libusb-0.1-42:0.1.10a-16 userspace USB programming library ii makedev 2.3.1-78 creates device files in /dev ii zlib1g 1:1.2.2-8compression library - runtime gnupg recommends no packages. -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]