Re: Multiple uid's vs. multiple primary keys & "master signing keys"

[David Koppenhofer]

On Mon, Jun 23, 2008 at 4:23 PM, David Shaw <[EMAIL PROTECTED]> wrote:
> On Mon, Jun 23, 2008 at 03:28:44PM -0400, David Koppenhofer wrote:
>> Hi everyone,
>>
>> I'm a potential new gpg user, and have been struggling with a few
>> questions about how uid's and keys should be configured.e.
>> ...
>
> It's handy to make a distinction between your work and personal life,
> and for many or even most people, their personal "identity" is a lot
> longer lived than their work "identity".  People keep the same
> personal address for years, but don't as often keep the same job (and
> thus job address) for that long.
>
> Personally, I do this with two keys.  One personal, and one work.  I
> don't really get the work one signed, as people who want to reach me
> generally do so in my personal context (I do FOSS work, but I do it
> under my personal address as I've found that many people just send
> mail to personal addresses even there is a special address for FOSS
> stuff).

Thanks for the quick and helpful reply.  It's good to know that I
wasn't out in left field with my understanding of gnupg. :-)  Now, I
can make some decisions on how to proceed.

David

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Multiple uid's vs. multiple primary keys & "master signing keys"

[David Koppenhofer]

On Mon, Jun 23, 2008 at 11:30 PM, Faramir <[EMAIL PROTECTED]> wrote:
>  I heard, a couple of weeks ago, about somebody who lost all her email
> accounts because her primary email address was hacked. The hacker knew
> the other email addresses, used the option "I forgot my password, send
> it to my secondary email", and all the other email accounts sent their
> passwords to the email that was compromised... allowing the hacker to
> take control of all these accounts, changing the security questions and
> secondary emails, so the true owner can't recover the accounts.

The thought of 'tying' my email accounts together through "I forgot my
password, send to my secondary email" has given me pause in the past.

I don't think any of my email accounts are currently set up with
another as a "secondary" email; password recovery is usually through
other means (e.g. security questions).

Thanks for sharing your thoughts about this.

David

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: cipher ID's

[David Shaw]

On Jun 24, 2008, at 6:10 PM, [EMAIL PROTECTED] wrote:


just curious // ? O.T.

gnupg lists the following cipher ID's for symmetric algorithms:

Home: ~/.gnupg
Supported algorithms:
Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA
Cipher: IDEA (S1), 3DES (S2), CAST5 (S3), BLOWFISH (S4), AES (S7),
AES192 (S8), AES256 (S9), TWOFISH (S10)


rfc-4880 section 9.2
lists (S5) and (S6) as "Reserved"
http://tools.ietf.org/html/rfc4880#section-9

reserved for what?
and why couldn't they just be added later in sequence after
whatever the
last accepted algorithm is?


They could have been.  In the case of S5 and S6, they're marked as  
reserved because they were actually allocated at one point for SAFER- 
SK128 (S5) and DES/SK (S6).  They're marked as reserved now to make  
sure they're not used by anyone for anything.


David

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: cipher ID's

[John W. Moore III]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Robert J. Hansen wrote:

> People add ciphers to the OpenPGP suite which are not explicitly
> included in the spec.  E.g., Camellia right now, or the people who are
> experimenting around with ECDSA, or... etc.
> 
> If it was just "add it to the end", then every experimental OpenPGP
> platform out there would have problems.  If S14 (to pick a random unused
> cipher number) is an experimental implementation of RC6, then what
> happens when AES-256.5 (a full 1.414 times stronger than AES256!) gets
> assigned to S14?
> 
> Fine, the experimental group moves up to S15.  But all of the traffic
> they've already generated is still marked as S14.  That means when they
> try to decrypt their traffic, they'll be decrypting it with AES-256.5
> instead of RC6.  Which means decryptions will fail.  Which means ugly
> kluges will have to be written to handle this.  And... etc., etc.
> 
> It's easier on everyone if it's done OpenPGP's way.

Most Excellent Answer!  FWIW; the 'Working Group' is still mulling the
inclusion of OID as part of ECC.  Who knows what, if anything, will be
assigned to these identifiers.  If One follows the 'David Shaw'
proposals for Camellia algorithm it will be found that the identify
nomenclature changed several times.  It still isn't 'final adopted' and
may change again.

I Love the "Hansen/Clizbe" Warning; if Ya follow the /Bleeding Edge/ and
things get broken You 'own' all the pieces!

JOHN ;)
Timestamp: Tuesday 24 Jun 2008, 19:21  --400 (Eastern Daylight Time)
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.5.0-svn4754: (MingW32)
Comment: Public Key at:  http://tinyurl.com/8cpho
Comment: Gossamer Spider Web of Trust: https://www.gswot.org
Comment: Homepage:  http://tinyurl.com/yzhbhx

iQEcBAEBCgAGBQJIYYHIAAoJEBCGy9eAtCsPVisIAIonv1JwEKeQVp6gtdP8HyoY
WFLzTPvQCMdLbuAyen66xSbnLYsLKx70CjY/l6Ku9xpyIvXv5HNeUU80l8AbGAFM
fhLjOldLQWrAgaBcC0HNa4DIJUTirKYRZy1iRYxF+Q45d7QICd1S7/hC1Zm+xMqs
haJKrvh0KGg7x9braUKuItMzIs8Gv5FvF0g1CrYD217noRKj9b9ew9y0RuAweXNw
XrbZAfQmxniXRME+TL7GGn75sxq1p8HqgvkSNM4X/8eH/F2UF5R4XoODhrhK44mR
V5BMPc4qWTtRVlaRR6cvAcZC4rXoNivjfHKJ0RHNicZTU5ScO/TSO+Nip20ObN8=
=Nadv
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: SCM SPR532 & Ubuntu 8.04 & GnuPG 1.4.6 versus GnuPG 2.0.7

[Michael Bienia]

On 2008-05-31 19:39:18 +0200, Tobias Weisserth wrote:
Hello,

> I followed all the tutorials and howto documents I could and I managed to
> figure out that I had to tweak the USB driver bundle installation of the SCM
> driver to copy the bundle into the right directory for Ubuntu 8.04. After
> restarting pcscd I could use GnuPG 1.4.6 with the card.

I've a SCM SPR532 too, and it works without problems on Ubuntu 8.04. But
I don't use pscd, just plain gpg/gpg2 with gpg-agent to access it.

> So, after trying different things I managed to initialize my card and
> generate a new key using GnuPG 1.4.6 (current Ubuntu stable package).
> 
> However, GnuPG 2.0.7 (Ubuntu 8.04 package) will not read the card like GnuPG
> 1.4.6. When I do a

Have you tried to use the card reader with gpg only (no pcscd)? You need
to get udev to create the device nodes with the correct permission to
use the card reader as a user. I attached my udev rules. Put that file
into /etc/udev/rules.d, create the "scard" group, add your user to it
(don't forget to re-login) and restart udev. Don't forget to stop pcscd.
(Note to self: I should get this bug finally fixed for Ubuntu intrepid).

You should be able to access the card reader through gpg with and
without gpg-agent.

> I would also like to know how the whole setup is integrated with graphical
> clients in Ubuntu 8.04, for example Evolution, Seahorse and such.

I use pinentry-gtk2 to get told when I should enter the pin. As I don't
use Evolution or Seahorse, I don't know how to best integrate with it. I
know that Seahorse has it's own gpg-agent, but I don't know how well
Seahorse works with the original gpg-agent or if the seahorse-agent can
access the card reader.
When you test with gpg-agent make sure that you use the one provided
from gpg2.

Regards,
Michael
ACTION!="add", GOTO="gnupg-ccid_rules_end"

# USB SmartCard Readers
## SCM readers (SCR335, SPR532, & Co)
SUBSYSTEM=="usb", ATTRS{idVendor}=="04e6", ATTRS{idProduct}=="e001", 
GROUP="scard", MODE="0660"
SUBSYSTEM=="usb", ATTRS{idVendor}=="04e6", ATTRS{idProduct}=="e003", 
GROUP="scard", MODE="0660"
SUBSYSTEM=="usb", ATTRS{idVendor}=="04e6", ATTRS{idProduct}=="5115", 
GROUP="scard", MODE="0660"

# PCMCIA SmartCard Readers
## Omnikey CardMan 4040
SUBSYSTEM=="cardman_4040", GROUP="scard", MODE="0660"

LABEL="gnupg-ccid_rules_end"
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: cipher ID's

[Robert J. Hansen]

[EMAIL PROTECTED] wrote:

reserved for what?


Future use.  Hate to give an answer that's so glib, but that's what it
is.  As of right now, I don't believe there's any consensus on what will
ultimately go there, or if they will ever be used -- but the spec is
including "room to grow", as it were, by telling every implementation
author "don't use those codes for your own OpenPGP extensions, we may
use them someday".


and why couldn't they just be added later in sequence after whatever
the last accepted algorithm is?


People add ciphers to the OpenPGP suite which are not explicitly
included in the spec.  E.g., Camellia right now, or the people who are
experimenting around with ECDSA, or... etc.

If it was just "add it to the end", then every experimental OpenPGP
platform out there would have problems.  If S14 (to pick a random unused
cipher number) is an experimental implementation of RC6, then what
happens when AES-256.5 (a full 1.414 times stronger than AES256!) gets
assigned to S14?

Fine, the experimental group moves up to S15.  But all of the traffic
they've already generated is still marked as S14.  That means when they
try to decrypt their traffic, they'll be decrypting it with AES-256.5
instead of RC6.  Which means decryptions will fail.  Which means ugly
kluges will have to be written to handle this.  And... etc., etc.

It's easier on everyone if it's done OpenPGP's way.

(Note -- while RC6 is a real algorithm, AES256.5 is not; it's firmly
tongue in cheek.)



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

cipher ID's

[vedaal]

just curious // ? O.T.

gnupg lists the following cipher ID's for symmetric algorithms:

Home: ~/.gnupg
Supported algorithms:
Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA
Cipher: IDEA (S1), 3DES (S2), CAST5 (S3), BLOWFISH (S4), AES (S7), 
AES192 (S8), AES256 (S9), TWOFISH (S10)


rfc-4880 section 9.2
lists (S5) and (S6) as "Reserved"
http://tools.ietf.org/html/rfc4880#section-9

reserved for what?
and why couldn't they just be added later in sequence after 
whatever the 
last accepted algorithm is?


vedaal

any ads or links below this message are added by hushmail without 
my endorsement or awareness of the nature of the link

--
Beauty Advice Just Got a Makeover
Read reviews about the beauty products you have always wanted to try
http://tagline.hushmail.com/fc/JKFkuIjyaQLHA3r4kJXTztVlfip7JJti1ekNNL6Xj5tftJ1DGG9Xx9/


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: About my prefered settings...

[Faramir]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

David Shaw escribió:

>>  Also, I couldn't locate the list of equivalences between names and
>> codes, like AES256 - S9 in the gpg.man file... I found a list using
>> google, but it is for an older version, which didn't include all the
>> things available in version 1.4.9...
> 
> gpg -v --version lists all the number codes, but again, use the names.

  Thanks, David (and thanks to Kevin Hilton, he wrote about the same
command, very useful), and of course, all the other people sharing their
knoledge :)

  And I was wrong when I said I had not yet messed the config file... I
erased the utf-8 preference, and now, there are no more weird characters:

Home: C:/Archivos de programa/GNU/GnuPG
Algoritmos disponibles:
Clave pública: RSA, RSA-E, RSA-S, ELG-E, DSA
Cifrado: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH
Resumen: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compresión: Sin comprimir, ZIP, ZLIB, BZIP2

(last time, there were words like "Compresión:" and "Características:")

Well, I think I don't have more doubts about gpg settings... I will do a
little "research" about strength of algorithms,(wikipedia, probably),
and I won't mess with the character sets any more...

Now, the bad new... I will install gpg 2 in a virtual machine, and start
trying to figure how do the new features work... so there will be a lot
more questions... :P

Best Regards, and thanks for the help provided, it is really hard to
find a list so active and helpful as this one (Enigmail list is great,
too... maybe because a lot of people is in both lists)
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQEcBAEBCAAGBQJIYQCPAAoJEMV4f6PvczxAkfwH/jnMpmA8uPZvsCpV0P/wGISR
aq80lEfk5+bgmPbX/aGAy6aFcTcWmhnrvK0t4BpJ2Bq4pQ4Sx+EUbhVkVKOg5bou
SkrOKxeHBYZO2D0Hg1O0HRmFMJTcbQ7uHcPbZ6x+CRobcL+ZQeOjlKkKq6ZI8fky
EGhHfl2gKYYOQRDyRVX5g5cD03R4geQE+K+St2YGH5QYxdiap1GWoWnBrSFLADx1
30JExaq3LsTe63Tazr/du842Tck9J5XpOOasnaWl3ZptFC1t/gT+KTPuKDoC2Wu0
5EAX0yl5HatAkinloT4KAuvV5Ao5X1Ie8M/E6XEwK/qHmvZkUqTcTctc5SkgvDk=
=sQbN
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: About my prefered settings...

[David Shaw]

On Jun 24, 2008, at 12:27 AM, Faramir wrote:


 Thanks for the answers. I am a bit confused about if I should use
names like aes256 or codes like S9. Also, do I have to include all the
cipher/digest/compress algorithms available to my installed gpg, or  
just
 one or two? The idea would be "if you can, use this one, if not, do  
as

you wish/can"


S9 and AES256 are the same thing.  Use whichever you like.  I'd  
recommend using the full name - the S9 thing is really just backwards  
compatibility to an older version of GPG.


For personal-blahblah-preferences, list the ones you want to use when  
you make messages.  If that list fails (because your recipients can't  
all handle them), you'll end up with 3DES.  Similarly, when setting  
preferences on your key, list the ones you want other people to use  
when they make messages for you.  Again, if that list fails (because  
the other recipients of the message can't all handle them), you'll end  
up with 3DES.



 Also, I couldn't locate the list of equivalences between names and
codes, like AES256 - S9 in the gpg.man file... I found a list using
google, but it is for an older version, which didn't include all the
things available in version 1.4.9...


gpg -v --version lists all the number codes, but again, use the names.

David


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

About my prefered settings...

[Kevin Hilton]

Typing gpg -v --version will give you the capabilities along with the
relative numbers for your compiled version of gpg

Example:

$ gpg -v --version
gpg (GnuPG) 1.4.10-svn4783
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later 
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: ~/.gnupg
Supported algorithms:
Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA
Cipher: IDEA (S1), 3DES (S2), CAST5 (S3), BLOWFISH (S4), AES (S7), AES192
(S8),

AES256 (S9), TWOFISH (S10), CAMELLIA128 (S11), CAMELLIA192 (S12),
CAMELLIA256 (S13)
Hash: MD5 (H1), SHA1 (H2), RIPEMD160 (H3), SHA256 (H8), SHA384 (H9),
  SHA512 (H10), SHA224 (H11)
Compression: Uncompressed (Z0), ZIP (Z1), ZLIB (Z2), BZIP2 (Z3)

-- 
Kevin Hilton
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users