Re: moving user ID Comments to --expert mode
On 2/4/11 2:16 AM, Doug Barton wrote: > I recognized it, but I don't think the answer is as central to the > question of moving comments to expert mode as you do. Daniel's argument > boils down... I wasn't responding to Daniel. I was responding to Matt Goins, as was shown in my message, who said he had never seen any comment that helped him identify the owner of a key in a meaningful way. To that statement, pointing out the ham radio community's use of comment fields to store license numbers is on point. Moving the goalposts to, "but ham operators can still set comment fields with --expert," is not. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: moving user ID Comments to --expert mode
On 02/03/2011 17:52, Robert J. Hansen wrote: On 2/3/11 8:36 PM, Doug Barton wrote: >> then it's disingenuous to say "but they can just use expert mode." > > Why? Because it does not recognize the validity of a well-answered question. I recognized it, but I don't think the answer is as central to the question of moving comments to expert mode as you do. Daniel's argument boils down to "almost everyone who uses a comment doesn't need to, and most of the ones who do use them poorly." Your counter argument boils down to, "yeah, but here is a group of people who use comments well." I gave a tongue-in-cheek response, but the kernel of it was (IMO) pertinent. Doug -- Nothin' ever doesn't change, but nothin' changes much. -- OK Go Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/ ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: moving user ID Comments to --expert mode
On Thu, 3 Feb 2011 21:59, d...@fifthhorseman.net said: > * new users see the prompt and think they need to enter something > there, without understanding why or what to put there. This leads to > people either making a witticism (e.g. "No Comment"), repeating their I have only seen a few of these comments; thus I don't think it is a real problem. I use the comment failed mainly to indicate a test key and I have seen other sensible usages as well. Many might nor know that there is a help feature for every input field: GnuPG needs to construct a user ID to identify your key. Real name: d Email address: @ Comment: ? Please enter an optional comment. The characters "(" and ")" are not allowed. In general there is no need for a comment. Comment: but many more users are using a GUI for key generation and thus it is up to the GUI to preset the comment field. For example GPA uses in non-advanced mode a wizard dialog for key generation and that one does not ask for comment. I don't have any strong feelings about this, however, here is my own proposal: GnuPG needs to construct a user ID to identify your key. Real name: d Email address: @ You selected this USER-ID: "d " Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? c Comment: test key You selected this USER-ID: "d (test key) " Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? q No expert option and no translation changes required, just one more key stroke to enter a comment. The drawback is as with the --expert option: we will receive bug reports like "I can't enter a comment anymore" ;-). Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: moving user ID Comments to --expert mode
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 03-02-2011 22:17, Doug Barton escribió: > On 02/03/2011 17:10, Robert J. Hansen wrote: ... >> The problem with anecdote is everyone's anecdote is different. As a ham >> radio operator (KC0SJE), I have a fair number of keys that have comments >> of "Amateur radio: KC0SJE". > > So, you're saying that hams are not smart enough to figure out how to > use expert mode if they really want this functionality? :) Guys, it is just a comment field, is it so hard to ignore comments that are meaningless to you? Maybe they have some meaning to someone else. Personally, I'm tired of saying "ok, where did they put that thing I used to use, and that was so easy to find in the previous version?". Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCAAGBQJNS4aIAAoJEMV4f6PvczxAb7IH/iNa8WB2hGBokex3HPbmihXc cEx0hSmeXKgkGbD7lVi7V9CBy6FCdYcTqTQCs3i5SIPCabBbEai/yzbg9Smgf5Nc ZbhDxb7sFimKAXrzi0+VZO9x4IlpNHZYUWvJya1xr085XKnIrBl0FUMGXqVV7MeM PRUUlFeKa2MvK3nOLlK9KeMJb3C0t/A0KRwxl7997q7d9INATAz9ZrDd2U5Bync9 aSwx74ZvGvaVnEMUK0E3Y8EwLUIb0CqDUPPtN1Y3mndxBuksGN1BDtDQmHfRjIQl l53WKG9cq2k4TzxXJ4U/OTPRTPG3pFsNAgDkpBp6Kh2cwW+qvxPLd2sQubhh0s4= =tS8D -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: moving user ID Comments to --expert mode
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 03-02-2011 17:59, Daniel Kahn Gillmor escribió: ... > When keysigning, if i get asked to certify a key with a "comment" like > this, i don't know what to say. What am i certifying if i say that this > key really belongs to "Joe Schmoe (no comment) " ? "Joe > Schmoe " i can understand and certify, but the > intervening comment doesn't seem sensible or verifiable. Well, but a comment is just a comment... you don't have to verify them... > There are indeed some possibly legitimate uses of comments, but many of > them would be better handled with notations attached to subkeys or > notations attached to particular user IDs. I don't know how to attach notations to subkeys, but probably in that case they would remain unread. People check UIDs, but how often do we check subkeys? When you create the key, you need to create the first UID, so the comment is already attached to a particular user ID. Later you can make another UID, make it the main UID, revoke the old one, etc. > What do other people think? I don't see the problem. Comments may be useful, or may remain empty, or may include something not useful... but it's just a comment. Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCAAGBQJNS2XbAAoJEMV4f6PvczxAJX8H/1Di94xPmVLSIgRpS43ft52f J3YHv6GqQ/35br7nOXKEqwnfRxsnLE6bsNlCW62cu92Lubx8yUaUKK29ho2X5r7A fCLLZ6GssZ1g1hOPM67hoVgm905NjqPaNQsofMt25gFTnM7AkaZZFsWLrd4+Mlqa ygqSyp1lojht+6Jg+mx5romZTScVLdsiWnqfWhJ7bp/N2Hr2+EENi4RU1I/MKY+F aH88gnuCa0F9yHCPpLjEBxKI8Ij0xe9XduBIVGUqu6crQrL897y+OrNaoxvJ3C9f vOtdwNmUVK7MRhy7LDIsKGuAA8ZFw07V0C9vTmXGgisXy89YE4gWo+QEPFJCVXI= =bUo8 -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: moving user ID Comments to --expert mode
On 2/3/11 8:36 PM, Doug Barton wrote: >> then it's disingenuous to say "but they can just use expert mode." > > Why? Because it does not recognize the validity of a well-answered question. When a question is asked and answered, it is good form to recognize the answer, rather than say "... well, but!...". Moving the goalposts, in addition to being a logical fallacy, tends to persuade people that you're not really interested in the answer. ... E.g., "Lee Harvey Oswald didn't kill Jack Kennedy! The shots weren't fired from the Texas Book Depository." Well, in point of fact, his co-workers saw him going up to the floor where he fired from, and a lifelong hunter co-worker of his was exactly one floor below and heard the gunshots, the shooter working the bolt of the rifle, and the brass ejecting on the floor. "But there's no way any human being could fire those shots that quickly and accurately! That's the work of a military sniper, not a deranged gunman! Oswald couldn't have been the shooter!" Well, now you're moving the goalposts: but, while we're talking about it, the Warren Commission was able to find an Army specialist[*] who was able to not only fire faster than that, but with better accuracy. "But what about the grassy knoll and the fourth gunshot?!" ... Listen, you're not really interested in having a discussion about this, are you? For every claim of yours that gets refuted, you just move the goalposts somewhere else. I'm done talking: it doesn't matter what answer I give, you're going to keep subscribing to these ridiculous and refuted conspiracy theories. [*] Non-Americans: 'specialist' is a rank in the United States Army, just barely above a raw recruit. Instead of being a "specialist shooter," as you might think from the phrase "Army specialist," it really means, "the Warren Commission found a young soldier who was barely able to tie his own shoes without a sergeant's help, and even *he* was able to do a better job than Oswald." ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: moving user ID Comments to --expert mode
On 02/03/2011 17:10, Robert J. Hansen wrote: On 2/3/11 5:32 PM, Matthew James Goins wrote: Personally I've never seen a comment that helped me identify the owner of a key in a meaningful way. The problem with anecdote is everyone's anecdote is different. As a ham radio operator (KC0SJE), I have a fair number of keys that have comments of "Amateur radio: KC0SJE". So, you're saying that hams are not smart enough to figure out how to use expert mode if they really want this functionality? :) Doug -- Nothin' ever doesn't change, but nothin' changes much. -- OK Go Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/ ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: moving user ID Comments to --expert mode
On 02/03/2011 17:23, Robert J. Hansen wrote: On 2/3/11 8:17 PM, Doug Barton wrote: So, you're saying that hams are not smart enough to figure out how to use expert mode if they really want this functionality? :) You're moving the goalposts. That was responding to someone who denied the usefulness of comments at all. If I'm establishing there are communities who use comments, and these communities often exist under the radar of list members, I don't disagree with anything above, but then it's disingenuous to say "but they can just use expert mode." Why? Restating my argument in a more serious fashion: 1. There are very few people who usefully benefit from comments 2. Most novice users who add a comment do so badly 3. Therefore moving the option to expert mode is a win for the community. Whether it should be in normal mode or expert mode is a completely different question from whether there exist a significant number of users who find the comment field useful. I actually disagree with this as stated, although I will grant you that point 2 above is included in the overall issue. :) As long as we're moving things into expert mode, I'd like to see all non-default options moved into expert mode, including key lengths. I've never seen anyone outside of the intelligence community who had a need for a 4096-bit key: why do we support generating them? I've seen people screw up expiration dates more often than I've seen them use expiration dates as part of a sane, rational security policy: why is this option part of the default, why isn't setting an expiration date reserved for expert users? Etc., etc. That all sounds good to me. Doug (seriously) -- Nothin' ever doesn't change, but nothin' changes much. -- OK Go Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/ ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: moving user ID Comments to --expert mode
On 2/3/11 8:17 PM, Doug Barton wrote: > So, you're saying that hams are not smart enough to figure out how to > use expert mode if they really want this functionality? :) You're moving the goalposts. That was responding to someone who denied the usefulness of comments at all. If I'm establishing there are communities who use comments, and these communities often exist under the radar of list members, then it's disingenuous to say "but they can just use expert mode." Whether it should be in normal mode or expert mode is a completely different question from whether there exist a significant number of users who find the comment field useful. As long as we're moving things into expert mode, I'd like to see all non-default options moved into expert mode, including key lengths. I've never seen anyone outside of the intelligence community who had a need for a 4096-bit key: why do we support generating them? I've seen people screw up expiration dates more often than I've seen them use expiration dates as part of a sane, rational security policy: why is this option part of the default, why isn't setting an expiration date reserved for expert users? Etc., etc. If you open up the "well, I think it ought to be in expert mode," there are a lot of other things that ought to be moved over there first. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: moving user ID Comments to --expert mode
On 2/3/11 5:32 PM, Matthew James Goins wrote: > Personally I've never seen a comment that helped me identify the owner > of a key in a meaningful way. The problem with anecdote is everyone's anecdote is different. As a ham radio operator (KC0SJE), I have a fair number of keys that have comments of "Amateur radio: KC0SJE". (A former cert of mine had "Amateur Radio" tagged on my kc0sje@my.domain address, for instance.) And yes, I do find it helpful to have someone's ham call on their key: when I'm sending a contact report to someone, it's nice to be able to grep through my keyring looking for their call sign and get the email address it should go to. The user community is huge. Just because you don't see it doesn't mean other people don't use it. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: moving user ID Comments to --expert mode
On Thu, Feb 03, 2011 at 04:07:40PM -0500, Robert J. Hansen wrote: > Whenever people talk about what "most users" need, I have to ask to see > the user survey that's showing this. I don't think it matters what the real numbers are. We've all seen user ids with utterly unhelpful comments, and it stands to reason that some fraction of them were put in place because novice users felt obligated to include a comment. The first time I used gnupg this is exactly what I did, as evident in my old keys on the keyservers. Personally I've never seen a comment that helped me identify the owner of a key in a meaningful way. So since it occasionally causes silliness, and rarely or never to my knowledge helps, I would go so far as to say that use of comments should be strongly discouraged. --mjgoins signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: moving user ID Comments to --expert mode
On 2/3/11 6:09 PM, Jameson Rollins wrote: > Just out of curiosity, can you explain why you wouldn't sign dkg's > hypothetical user ID? Because with a comment like that, my impression would be that he was aiming to deliberately yank my chain: and why should I put up with that? To use that as an example, and to simultaneously lose sight of the "you know, I'm kind of being a jerk here, and why should do me a favor by making a certification if I'm being a jerk to him?" factor, is to reduce humanity to automation. It implicitly says, "you must do this, because to be otherwise is illogical." I demand logic in technical matters. In social matters, I embrace my humanity, which is to say my right to be inconsistent. I heartily recommend this course of living to everyone. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: learning which symmetric cipher via --status-fd when decrypting
>Message: 8 >Date: Thu, 03 Feb 2011 02:28:05 -0500 >From: Daniel Kahn Gillmor >is there a way to get information about which symmetric cipher was >used on an encrypted message when decrypting? There may be other direct ways, but a simple unexpected way, is to use the option of --show-session-key. Upon decryption, GnuPG shows the number of the symmetric algorithm, followed by a colon, followed by the session key string (i.e, '2:' indicates that 3DES is the symmetric cipher used). vedaal ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: moving user ID Comments to --expert mode
On Thu, 03 Feb 2011 17:54:39 -0500, "Robert J. Hansen" wrote: > > But i suspect he would not want to certify this User ID: > > > > Daniel Kahn Gillmor (I am really Robert Hansen) > > Correct. Because the presence of my signature means something. The > *absence* means *nothing at all*, and you're smart enough to know that. Just out of curiosity, can you explain why you wouldn't sign dkg's hypothetical user ID? jamie. pgpkFAKu20oug.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: moving user ID Comments to --expert mode
On 2/3/11 6:30 PM, David Shaw wrote: > Or are you arguing the *meaning* of the certification (you may or may > not sign the user ID, but if you did sign it, the comment part should > be considered null and void in terms of your particular > certification)? This. I may agree with the comment, I may disagree with it, but either way I am not vouching for it. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: moving user ID Comments to --expert mode
On Feb 3, 2011, at 5:10 PM, Robert J. Hansen wrote: >> I invite you to look through the User IDs in your own keyring, from the >> perspective of a potential certifier, and ask yourself "what does it >> mean for me to certify these comments?" > > Zero. Comments don't get certified. All my signature means is I have > met this person face to face, have seen two forms of government > identification, have confirmed a fingerprint and exchanged an email at > that address. There's nothing in my signature policy that addresses > comments, nothing at all. I'm afraid I'm not parsing your point here. Comments are part of the user ID field. When you make a certification, they are included in the hash. You can't sign part of a user ID. Are you saying that you don't sign things with comments? ("Comments don't get certified"). Or are you arguing the *meaning* of the certification (you may or may not sign the user ID, but if you did sign it, the comment part should be considered null and void in terms of your particular certification)? Or something else? >> Omitting the baffling prompt entirely would be the most terse, which is >> what i propose. Do you object to that? > > Without a good basis, yes, I do. If you change this prompt you will > also break a ton of scripts that expect this prompt. Not only that, but > since key generation is a rare occurrence the breakage may occur months > or years after the change is made. This isn't something to be done lightly. I suppose I don't really have particularly strong feelings about whether "comment" is put under --expert or not, but either way this argument is not a good one. We have made many changes to the keygen prompts over time, and no doubt will continue to do so in the future. The only scriptable interface for key generation in GPG is --batch --key-gen, and it is documented as such. David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: moving user ID Comments to --expert mode
On 02/03/2011 14:22, Jameson Rollins wrote: I have to agree with Daniel that I have in fact honestly never spoken to anyone who was*not* confused by that field. I can't ever remember seeing a comment field used in any way that made sense to me. I'm as pedantic as the next geeky dev, but I agree with this, and believe that arguing from example is perfectly valid in this case. FWIW I would love to see the comment field moved to expert mode since it rather clearly qualifies under the "If you don't already know that you need this, you don't need this" category that --expert is designed to protect the casual user from. I think (Optional) would be an Ok compromise if that's what the gnupg devs think is right, although something closer to (You probably don't want to type anything here, no, really, don't do it) would be better. :) Doug -- Nothin' ever doesn't change, but nothin' changes much. -- OK Go Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/ ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: moving user ID Comments to --expert mode
On 02/03/2011 15:16, Hauke Laging wrote: Am Donnerstag 03 Februar 2011 23:22:38 schrieb Jameson Rollins: I think this is why his original suggestion was to move it instead to --expert. Moving it to --expert makes a lot of sense to me. Perhaps it makes sense to extend the output of --gen-key by a hint like "Additional features are enabled by the option --expert. Have a look at the documentation." This is independent of this discussion, though. It took me several years to notice this option... ;-) That's part of the test. Congratulations on your passing grade. :) -- Nothin' ever doesn't change, but nothin' changes much. -- OK Go Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/ ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: moving user ID Comments to --expert mode
Am Donnerstag 03 Februar 2011 23:22:38 schrieb Jameson Rollins: > I think this is why his original suggestion was to move it instead to > --expert. Moving it to --expert makes a lot of sense to me. Perhaps it makes sense to extend the output of --gen-key by a hint like "Additional features are enabled by the option --expert. Have a look at the documentation." This is independent of this discussion, though. It took me several years to notice this option... ;-) Hauke -- PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814 signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: moving user ID Comments to --expert mode
On 2/3/11 5:47 PM, Daniel Kahn Gillmor wrote: >> By certifying the full user ID you are also certifying the comment. This is not how either OpenPGP or GnuPG work. Certifiers get to define what their certifications mean. Bang, period, end of sentence. There are *no* certification semantics in OpenPGP: there is only a rich and comprehensive set of syntactic primitives. It's true that, say, a persona-level signature is different syntactically than an I-have-done-extensive-checking signature: but OpenPGP quite wisely says *nothing* about the level of checking which goes into each signature level. If you see a certification and you assume you know what the certifier intends, then you are living in sin. Ask the certifier what for their policy: that's the only way to know. Some people will make certifications willy-nilly ("well, I've traded emails with the guy a few times..."). Some will make certifications only very carefully. Some will make totally unreasonable certifications because they don't know any better, and some will not make reasonable certifications because they have an abundance of paranoia. Unless you ask the certifier, *you do not, and cannot, know*. By certifying the full user ID, I am making a statement that is derived from my own local certification policy. That's all. Nothing else. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: moving user ID Comments to --expert mode
On 2/3/11 5:47 PM, Daniel Kahn Gillmor wrote: > Just to clarify this point: This is not a clarification: this is a confusion. > If i meet Robert in person, show him my gov't IDs, my fingerprint, and > we exchange e-mails, Robert would probably be fine certifying this User ID: > > Daniel Kahn Gillmor Yes. And my signature would mean exactly that: I'd seen two forms of government ID, seen you face to face, verified fingerprints, and confirmed your email address works. > But i suspect he would not want to certify this User ID: > > Daniel Kahn Gillmor (I am really Robert Hansen) Correct. Because the presence of my signature means something. The *absence* means *nothing at all*, and you're smart enough to know that. I am under no obligation to make any signatures, and I am free to add whatever conditions I want to it. Maybe I don't want to sign your certificate because you're a redhead, and I've never been able to find it in my heart to ever trust a ginger.[*] Maybe I don't want to sign your certificate because it's a Thursday. Maybe I don't want to sign your certificate because I've just had a bad day and I can't be bothered. Maybe ... If you see a signature from me, you know what it means. If you don't, then you can't draw any inferences whatsoever. Why do you want people to draw inferences from my unwillingness to sign a certificate, when it's plainly obvious there are no inferences to be drawn from that? [*] Quite tongue in cheek, given that I'm a redhead myself. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: moving user ID Comments to --expert mode
On 02/03/2011 05:22 PM, Jameson Rollins wrote: > On Thu, 03 Feb 2011 17:10:58 -0500, "Robert J. Hansen" > wrote: >> Zero. Comments don't get certified. All my signature means is I have >> met this person face to face, have seen two forms of government >> identification, have confirmed a fingerprint and exchanged an email at >> that address. There's nothing in my signature policy that addresses >> comments, nothing at all. > > I'm not sure I understand this comment. Certifications are over user > IDs. The comments are in the user IDs. By certifying the full user ID > you are also certifying the comment. Just to clarify this point: If i meet Robert in person, show him my gov't IDs, my fingerprint, and we exchange e-mails, Robert would probably be fine certifying this User ID: Daniel Kahn Gillmor But i suspect he would not want to certify this User ID: Daniel Kahn Gillmor (I am really Robert Hansen) And he would be right to do avoid certifying it. --dkg signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: moving user ID Comments to --expert mode
On Thu, 03 Feb 2011 16:30:00 -0500 Daniel Kahn Gillmor articulated: > On 02/03/2011 04:07 PM, Robert J. Hansen wrote: > > On 2/3/11 3:59 PM, Daniel Kahn Gillmor wrote: > >> * most people just need a simple identity-driven OpenPGP > >> certificate, one that matches their name and e-mail address. > > > > Whenever people talk about what "most users" need, I have to ask to > > see the user survey that's showing this. History has shown that > > technically sophisticated users' ideas of what "real users" need > > tends to not correlate very tightly with what "real users" say they > > need. > > my "user survey" is from several years of trying to personally help > dozens of people of all skill levels learn how to use OpenPGP for > secure messaging. Regardless of the intelligence or technical savvy > of the people i've personally helped get more comfortable with > OpenPGP, i believe all of them have been baffled by the Comment: > prompt. Statistically speaking, a few dozen users is not very meaningful. Furthermore, did you have a test group to compare these results against? In addition, did any one who claimed to be knowledgeable with the concepts of PGP ask you for assistance? Probably not which causes your statistical analyses to be in error. It reminds me of the famous Coke a Cola debacle in the 80's. Their analysis was so flawed that they eventually fired everyone involved in the fiasco, not to mention the fact that they lost millions of dollars. In any case, statistics can be made to represent anything you want them to. If 5% of a group suffers from constipation does that mean the remaining 95% enjoys it? -- Jerry ✌ gnupg.u...@seibercom.net _ Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. Q: What is the difference between Texas and yogurt? A: Yogurt has culture. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Solution: Crontab running gpg script can’t find secret key
On Thursday 03 February 2011, griffmcc wrote: > Here's what works for me: > > > echo 'password' | gpg -vvv --homedir /root/.gnupg --batch > --passphrase-fd 0 --output /usr/share/file.gpg --encrypt --sign > /usr/share/file.tar.bz2 I suggest setting the passphrase of the key to an empty passphrase. Using a non-empty passphrase and then putting this "secret" passphrase in the crontab totally defeats the purpose of the passphrase. Moreover, the passphrase will be available to anybody who knows ps. Regards, Ingo signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: moving user ID Comments to --expert mode
I like the idea of adding the (Optional) to the prompt because I'm a big fan of optional fields being marked as such. This is an simple and elegant fix to an issue. And I'd hesitate to move it to expert since we have been (ab)using the comment field for our keys, then again this is being used by sysadmins who should know what they are doing, so moving it to expert mode shouldn't be too bad... but what should be is not the same as what is. On Thu, Feb 3, 2011 at 4:07 PM, Robert J. Hansen wrote: > On 2/3/11 3:59 PM, Daniel Kahn Gillmor wrote: >> * most people just need a simple identity-driven OpenPGP certificate, >> one that matches their name and e-mail address. > > Whenever people talk about what "most users" need, I have to ask to see > the user survey that's showing this. History has shown that technically > sophisticated users' ideas of what "real users" need tends to not > correlate very tightly with what "real users" say they need. > >> If moving the Comment: prompt to --expert seems to radical, a more >> conservative proposal would be to change the prompt from: >> >> Comment: >> >> to: >> >> Comment (leave blank unless you are sure you need this and know what >> you are doing): >> >> or: >> >> Comment (most people should leave this blank): > > Terse is beautiful. I think something like > > Comment (optional): > > ... would suffice, and would be a modest improvement on the current prompt. > > ___ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: moving user ID Comments to --expert mode
On Thu, 03 Feb 2011 17:10:58 -0500, "Robert J. Hansen" wrote: > On 2/3/11 4:30 PM, Daniel Kahn Gillmor wrote: > > my "user survey" is from several years of trying to personally help > > dozens of people of all skill levels learn how to use OpenPGP for secure > > messaging. Regardless of the intelligence or technical savvy of the > > people i've personally helped get more comfortable with OpenPGP, i > > believe all of them have been baffled by the Comment: prompt. > > I'm in a similar position to you, except this is my twentieth year of > helping people with PGP. (I started way back in 1991, when PGP first > came out and was distributed friend-to-friend on floppy disks... five > and a quarter floppy disks.) > > I have never seen anyone be baffled by the 'Comment:' prompt. Some > people have asked, "What should I type here?", and I usually explain, > "nothing, just hit return," and they do. Those who ask what the > "Comment" field means generally understand it very quickly. I have to agree with Daniel that I have in fact honestly never spoken to anyone who was *not* confused by that field. I can't ever remember seeing a comment field used in any way that made sense to me. > > I invite you to look through the User IDs in your own keyring, from the > > perspective of a potential certifier, and ask yourself "what does it > > mean for me to certify these comments?" > > Zero. Comments don't get certified. All my signature means is I have > met this person face to face, have seen two forms of government > identification, have confirmed a fingerprint and exchanged an email at > that address. There's nothing in my signature policy that addresses > comments, nothing at all. I'm not sure I understand this comment. Certifications are over user IDs. The comments are in the user IDs. By certifying the full user ID you are also certifying the comment. > > Omitting the baffling prompt entirely would be the most terse, which is > > what i propose. Do you object to that? > > Without a good basis, yes, I do. If you change this prompt you will > also break a ton of scripts that expect this prompt. Not only that, but > since key generation is a rare occurrence the breakage may occur months > or years after the change is made. This isn't something to be done lightly. I think this is why his original suggestion was to move it instead to --expert. Moving it to --expert makes a lot of sense to me. jamie. pgptusULBZJoU.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: moving user ID Comments to --expert mode
On 2/3/11 4:30 PM, Daniel Kahn Gillmor wrote: > my "user survey" is from several years of trying to personally help > dozens of people of all skill levels learn how to use OpenPGP for secure > messaging. Regardless of the intelligence or technical savvy of the > people i've personally helped get more comfortable with OpenPGP, i > believe all of them have been baffled by the Comment: prompt. I'm in a similar position to you, except this is my twentieth year of helping people with PGP. (I started way back in 1991, when PGP first came out and was distributed friend-to-friend on floppy disks... five and a quarter floppy disks.) I have never seen anyone be baffled by the 'Comment:' prompt. Some people have asked, "What should I type here?", and I usually explain, "nothing, just hit return," and they do. Those who ask what the "Comment" field means generally understand it very quickly. The problem with using anecdotal evidence as opposed to surveys is there's all different kinds of cognitive biases that go on inside the mind of the person relating the anecdote. With surveys, you can go back to the original documents and say, "User #4 said this: what do we think about this user's remarks?" Ultimately, I think arguing from anecdote that "we need to change the comment prompt" is unpersuasive. > If anyone thinks that removing this prompt would be a Bad Thing, I would > love to have a clearer explanation of the Comment prompt that i could > refer to when i try to de-baffle people in the future. "Just like a user ID allows you to tell people your email address and your real name, it also lets you put a note in there in case there's anything else you really want people to know. You can skip this: just hit 'return.'" > I invite you to look through the User IDs in your own keyring, from the > perspective of a potential certifier, and ask yourself "what does it > mean for me to certify these comments?" Zero. Comments don't get certified. All my signature means is I have met this person face to face, have seen two forms of government identification, have confirmed a fingerprint and exchanged an email at that address. There's nothing in my signature policy that addresses comments, nothing at all. > Omitting the baffling prompt entirely would be the most terse, which is > what i propose. Do you object to that? Without a good basis, yes, I do. If you change this prompt you will also break a ton of scripts that expect this prompt. Not only that, but since key generation is a rare occurrence the breakage may occur months or years after the change is made. This isn't something to be done lightly. > Yes, that would be an improvement over the current situation. i suspect > it will cause a non-negligible proportion of users to use the string > "optional" as their comment, but you can't win 'em all :( You can't prevent people from being gratuitously foolish idiots. Some people think they're tremendously clever by doing things like this, and they'll continue to do it no matter how you change the user interface. It is unwise to Fisher-Price the interface in the hopes of preventing fools from being clever. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: moving user ID Comments to --expert mode
On 02/03/2011 04:07 PM, Robert J. Hansen wrote: > On 2/3/11 3:59 PM, Daniel Kahn Gillmor wrote: >> * most people just need a simple identity-driven OpenPGP certificate, >> one that matches their name and e-mail address. > > Whenever people talk about what "most users" need, I have to ask to see > the user survey that's showing this. History has shown that technically > sophisticated users' ideas of what "real users" need tends to not > correlate very tightly with what "real users" say they need. my "user survey" is from several years of trying to personally help dozens of people of all skill levels learn how to use OpenPGP for secure messaging. Regardless of the intelligence or technical savvy of the people i've personally helped get more comfortable with OpenPGP, i believe all of them have been baffled by the Comment: prompt. If anyone thinks that removing this prompt would be a Bad Thing, I would love to have a clearer explanation of the Comment prompt that i could refer to when i try to de-baffle people in the future. Looking through my keyring, i see many more useless comments (clutter) than i see comments that might possibly be useful. Of the comments in user IDs in my keyring that might possibly be useful, most of them would be better communicated in some other way than as assertions of their personal identity. I invite you to look through the User IDs in your own keyring, from the perspective of a potential certifier, and ask yourself "what does it mean for me to certify these comments?" > Terse is beautiful. Omitting the baffling prompt entirely would be the most terse, which is what i propose. Do you object to that? > I think something like > > Comment (optional): > > ... would suffice, and would be a modest improvement on the current prompt. Yes, that would be an improvement over the current situation. i suspect it will cause a non-negligible proportion of users to use the string "optional" as their comment, but you can't win 'em all :( --dkg signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: learning which symmetric cipher via --status-fd when --decrypting
On 02/03/2011 04:19 PM, Werner Koch wrote: > On Thu, 3 Feb 2011 21:13, d...@fifthhorseman.net said: > >> This looks great. Thanks, Werner! Can we expect this in the 1.x and >> 2.0.x branches as well? > > Hmmm. If you really want that please out it into the tracker; there is > a topic keyword "backport". reported, thanks: https://bugs.g10code.com/gnupg/issue1316 Regards, --dkg signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Solution: Crontab running gpg script can’t find secret key
Here's what works for me: echo 'password' | gpg -vvv --homedir /root/.gnupg --batch --passphrase-fd 0 --output /usr/share/file.gpg --encrypt --sign /usr/share/file.tar.bz2 -- View this message in context: http://old.nabble.com/Crontab-running-gpg-script-can%E2%80%99t-find-secret-key-tp30831486p30839184.html Sent from the GnuPG - User mailing list archive at Nabble.com. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Crontab running gpg script can’t find secret key
The user running the cron job is root and the owner of the key is root. I know this because I added whoami > whoami.txt to the script and the contents of the file were "root". David SMITH-4 wrote: > > griffmcc wrote: >> Although I can encrypt a file using a script, when crontab runs the same >> script, it returns the error message “no default secret key: No secret >> key”. I have one secret key: >> >> sananselmo backupscripts.d # gpg --list-secret-keys >> /root/.gnupg/secring.gpg >> >> sec 2048R/AC1E8E28 2011-01-11 >> uid Griff McClellan (Broadmark Asset Management) >> ssb 2048R/81E9591C 2011-01-11 >> >> Here is my script: >> >> gpg -vvv --batch --output /usr/share/tararchive/file.gpg --encrypt –sign >> /usr/share/tararchive/file.tar.bz2 >> >> When I run it I am prompted for a password, even though I have the batch >> flag. However the file.gpg encrypted file is created. When I run the >> same script as root using crontab, I get: >> >> gpg: no default secret key: No secret key >> >> Does anyone have any suggestions about how to fix this problem? I tried >> setting the default-flag in gpg.conf but that didn’t change the outcome. > > Which user ID is the cron script running under? Is that user the same > one that owns the key? > > ___ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > > -- View this message in context: http://old.nabble.com/Crontab-running-gpg-script-can%E2%80%99t-find-secret-key-tp30831486p30838341.html Sent from the GnuPG - User mailing list archive at Nabble.com. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: learning which symmetric cipher via --status-fd when --decrypting
On Thu, 3 Feb 2011 21:13, d...@fifthhorseman.net said: > This looks great. Thanks, Werner! Can we expect this in the 1.x and > 2.0.x branches as well? Hmmm. If you really want that please out it into the tracker; there is a topic keyword "backport". Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: moving user ID Comments to --expert mode
On 2/3/11 3:59 PM, Daniel Kahn Gillmor wrote: > * most people just need a simple identity-driven OpenPGP certificate, > one that matches their name and e-mail address. Whenever people talk about what "most users" need, I have to ask to see the user survey that's showing this. History has shown that technically sophisticated users' ideas of what "real users" need tends to not correlate very tightly with what "real users" say they need. > If moving the Comment: prompt to --expert seems to radical, a more > conservative proposal would be to change the prompt from: > > Comment: > > to: > > Comment (leave blank unless you are sure you need this and know what > you are doing): > > or: > > Comment (most people should leave this blank): Terse is beautiful. I think something like Comment (optional): ... would suffice, and would be a modest improvement on the current prompt. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
moving user ID Comments to --expert mode
Hi folks-- I'd like to propose that GnuPG only prompt the user for a "Comment" for their User ID under --expert mode. Here's why: * most people just need a simple identity-driven OpenPGP certificate, one that matches their name and e-mail address. * new users see the prompt and think they need to enter something there, without understanding why or what to put there. This leads to people either making a witticism (e.g. "No Comment"), repeating their actual name, redundantly describing their e-mail address (e.g. "gmail address"), or saying something like "this is cool software", which then becomes part of their User ID and goes on the keyservers, associated with them permanently. When keysigning, if i get asked to certify a key with a "comment" like this, i don't know what to say. What am i certifying if i say that this key really belongs to "Joe Schmoe (no comment) " ? "Joe Schmoe " i can understand and certify, but the intervening comment doesn't seem sensible or verifiable. There are indeed some possibly legitimate uses of comments, but many of them would be better handled with notations attached to subkeys or notations attached to particular user IDs. What do other people think? If moving the Comment: prompt to --expert seems to radical, a more conservative proposal would be to change the prompt from: Comment: to: Comment (leave blank unless you are sure you need this and know what you are doing): or: Comment (most people should leave this blank): The example User ID prompt should also be changed (in english) from > You need a user ID to identify your key; the software constructs the user ID > from the Real Name, Comment and Email Address in this form: > "Heinrich Heine (Der Dichter) " to: > Your new key needs a User ID that identifies you; Usually, this takes > the form of your real name followed by your e-mail address: > "Heinrich Heine " Regards, --dkg signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: learning which symmetric cipher via --status-fd when --decrypting
On 02/03/2011 03:01 PM, Werner Koch wrote: > On Thu, 3 Feb 2011 08:28, d...@fifthhorseman.net said: > >> is there a way for a program that parses --status-fd to get this > > Not yet. > >> information, or does the program need to parse --logger-fd as well to > > better don't do that; the messages may change. What about this new > feature: > > DECRYPTION_INFO > Print information about the symmetric encryption algorithm and > the MDC method. This will be emitted even if the decryption > fails. This looks great. Thanks, Werner! Can we expect this in the 1.x and 2.0.x branches as well? --dkg signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: learning which symmetric cipher via --status-fd when --decrypting
On Thu, 3 Feb 2011 08:28, d...@fifthhorseman.net said: > is there a way for a program that parses --status-fd to get this Not yet. > information, or does the program need to parse --logger-fd as well to better don't do that; the messages may change. What about this new feature: DECRYPTION_INFO Print information about the symmetric encryption algorithm and the MDC method. This will be emitted even if the decryption fails. $ ~/b/gnupg/g10/gpg2 --status-fd 2 " [GNUPG:] BEGIN_DECRYPTION [GNUPG:] DECRYPTION_INFO 2 7 [GNUPG:] PLAINTEXT 62 1296751201 [GNUPG:] PLAINTEXT_LENGTH 139 The difference between the right word and the almost right word is the difference between lightning and the lightning bug. -- Mark Twain gpg: Signature made Thu Feb 3 17:40:01 2011 CET using ECDSA key ID 6AE8EAC3 [GNUPG:] SIG_ID Fh+ZrREGtHN97DZR1dRxaRCohdo 2011-02-03 1296751201 [GNUPG:] GOODSIG 9A7AE1B86AE8EAC3 Joe Random Hacker (test key with... gpg: Good signature from "Joe Random Hacker (test key with passphrase... [GNUPG:] VALIDSIG 1C5AD3334C35780012F7D6979A7AE1B86AE8EAC3 2011-02-03 ... [GNUPG:] TRUST_FULLY [GNUPG:] DECRYPTION_OKAY [GNUPG:] GOODMDC [GNUPG:] END_DECRYPTION Commit 5667e33. There is no support in GPGME yet, but I added some framework to support it. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Is commerical PGP.com compatible with Gnupg ???
On 2/3/11 12:34 PM, Keith Theman wrote: > Is the pgp from pgp.com compatible with gnupg ?? Generally, yes. PGP holds a patent on the Additional Decryption Key functionality (which GnuPG developers have said will not be implemented in GnuPG, even if it weren't patented), though, so that's an example of one of the minor incompatibilities between the two. > Is gnupg FIPS 140-2 compliant? I am unaware of any certified laboratory which has declared GnuPG conformant to any FIPS. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Is commerical PGP.com compatible with Gnupg ???
Hello, Is the pgp from pgp.com compatible with gnupg ?? Is gnupg FIPS 140-2 compliant? Dave ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
GPG Decrypt Messages
Hi, Can some please help me how to avoid these messages whenever the gpg files is decrypted. Here are the messages gpg: Signature made Wed Feb 02 14:26:25 2011 PST using DSA key ID BD6608B2 gpg: Good signature from "umesh (GPG encryptionl) " It is printing in logs everytime. Please advice what should i use to avoid them. Here is the command i am using: gpg -q -d abc.gpg Thanks, Umesh ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Add/remove recipient without re-encrypting
Hello, On Thu, Feb 03, 2011 at 03:38:12PM +0100, Alphazo wrote: > Is it possible to add or remove a recipient to an already encrypted file and > thus without re-encrypting the whole file? > > From what I understand GnuPG encrypts the payload (my binary file) with a > symmetric session key. Then it stores each recipient key ID (optional) as > well as an encrypted version of the session key using the public key of the > recipient (asymmetric encryption). > Assuming I own the private key of one the original recipient, could GnuPG > decrypt the session key and add/remove new recipients to the existing file? For what it's worth, I tried to write such a tool for my own, and annouced it on this list; see http://www.mail-archive.com/gnupg-users@gnupg.org/msg13495.html for the announcement. If you are interrested, I think it would be possible to resurrect this project. Cheers, -- Nicolas Boullis ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Add/remove recipient without re-encrypting
Am Donnerstag 03 Februar 2011 15:38:12 schrieb Alphazo: > Is it possible to add or remove a recipient to an already encrypted file > and thus without re-encrypting the whole file? Not an answer but a proposal: I have read this question several times on this list. I know that this is possible today but complicated (and AFAIK not part of the gpg documentation). I prefer an easy solution within gpg. Thus I suggest the feature that recipient packets can be stored in a seperate file. Thus only a small file has to be changed (extended or partially erased). A solution with better compatibility would be: The session key of the content file is the encrypted content of the recipients file. Thus implementations with a feature like --override-session-key can still access the content file (with some manual assistance) if they don't support such an extension file. That could look like this: gpg --encrypt --recipient --recipient 1112 file.txt would change to gpg --encrypt --recipient --ext-rec-file --recipient 1112 \ file.txt with all recipients given after --ext-rec-file (or --ext-rec-file=filename) being written to the extension file. If this is not implemented and we stick to "you would need to write the tool yourself" then it might be helpful to add the option to write some dummy recipients (just to have enough space in the file which can be overwritten). Hauke -- PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814 signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Add/remove recipient without re-encrypting
On Feb 3, 2011, at 9:38 AM, Alphazo wrote: > Is it possible to add or remove a recipient to an already encrypted file and > thus without re-encrypting the whole file? > > From what I understand GnuPG encrypts the payload (my binary file) with a > symmetric session key. Then it stores each recipient key ID (optional) as > well as an encrypted version of the session key using the public key of the > recipient (asymmetric encryption). You understand correctly. > Assuming I own the private key of one the original recipient, could GnuPG > decrypt the session key and add/remove new recipients to the existing file? This is technically possible, but GnuPG doesn't have it as a feature. You could use the 'gpgsplit' tool that comes with GnuPG to *remove* recipients by splitting the file into its packets, deleting the packet for the recipient you want to get rid of, and then using cat to put the packets together. Adding new recipients is more difficult, though you could probably hack it into GnuPG if you really wanted it. David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Add/remove recipient without re-encrypting
On 2/3/11 9:38 AM, Alphazo wrote: > Is it possible to add or remove a recipient to an already encrypted file > and thus without re-encrypting the whole file? Technically, yes, although you would need to write the tool yourself. > Assuming I own the private key of one the original recipient, could > GnuPG decrypt the session key and add/remove new recipients to > the existing file? GnuPG does not have this functionality. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Add/remove recipient without re-encrypting
Is it possible to add or remove a recipient to an already encrypted file and thus without re-encrypting the whole file? >From what I understand GnuPG encrypts the payload (my binary file) with a symmetric session key. Then it stores each recipient key ID (optional) as well as an encrypted version of the session key using the public key of the recipient (asymmetric encryption). Assuming I own the private key of one the original recipient, could GnuPG decrypt the session key and add/remove new recipients to the existing file? Thanks Alphazo ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenLDAP schema to store OpenPGP keys?
On Thu, 03 Feb 2011, Sascha Silbe wrote: > Excerpts from 's message of Mon Feb 20 10:56:32 +0100 2006: > > Walter Haidinger schrieb am Samstag, dem 18. Feber 2006: > > > > > Now, I'd like to setup an OpenLDAP server to store the OpenPGP keys (for > > > use with GnuPG). [...] > > > However, I was unable to find any schema definiton... > > > > http://asteria.noreply.org/~weasel/PGPKeyserverSchema.zip > > Like Walter, I'd like to add OpenPGP keys to an LDAP server, but can't > locate the schema used / understood by GnuPG. The file mentioned above > has since gone. > > Where did the schema come from originally? If the license is GPL > compatible, would it be possibly to include it as part of the GnuPG > documentation? It came from PGP Corporation in 2003, licensed BSD style. I've dug through my old mail and restored the file at http://www.palfrader.org/pgp/PGPKeyserverSchema.zip Cheers, -- | .''`. ** Debian GNU/Linux ** Peter Palfrader | : :' : The universal http://www.palfrader.org/ | `. `' Operating System | `-http://www.debian.org/ ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Crontab running gpg script can’t find secret key
griffmcc wrote: > Although I can encrypt a file using a script, when crontab runs the same > script, it returns the error message “no default secret key: No secret > key”. I have one secret key: > > sananselmo backupscripts.d # gpg --list-secret-keys > /root/.gnupg/secring.gpg > > sec 2048R/AC1E8E28 2011-01-11 > uid Griff McClellan (Broadmark Asset Management) > ssb 2048R/81E9591C 2011-01-11 > > Here is my script: > > gpg -vvv --batch --output /usr/share/tararchive/file.gpg --encrypt –sign > /usr/share/tararchive/file.tar.bz2 > > When I run it I am prompted for a password, even though I have the batch > flag. However the file.gpg encrypted file is created. When I run the > same script as root using crontab, I get: > > gpg: no default secret key: No secret key > > Does anyone have any suggestions about how to fix this problem? I tried > setting the default-flag in gpg.conf but that didn’t change the outcome. Which user ID is the cron script running under? Is that user the same one that owns the key? ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Crontab running gpg script can’t find secret key
Although I can encrypt a file using a script, when crontab runs the same script, it returns the error message “no default secret key: No secret key”. I have one secret key: sananselmo backupscripts.d # gpg --list-secret-keys /root/.gnupg/secring.gpg sec 2048R/AC1E8E28 2011-01-11 uid Griff McClellan (Broadmark Asset Management) ssb 2048R/81E9591C 2011-01-11 Here is my script: gpg -vvv --batch --output /usr/share/tararchive/file.gpg --encrypt –sign /usr/share/tararchive/file.tar.bz2 When I run it I am prompted for a password, even though I have the batch flag. However the file.gpg encrypted file is created. When I run the same script as root using crontab, I get: gpg: no default secret key: No secret key Does anyone have any suggestions about how to fix this problem? I tried setting the default-flag in gpg.conf but that didn’t change the outcome. -- View this message in context: http://old.nabble.com/Crontab-running-gpg-script-can%E2%80%99t-find-secret-key-tp30831486p30831486.html Sent from the GnuPG - User mailing list archive at Nabble.com. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenLDAP schema to store OpenPGP keys?
Excerpts from 's message of Mon Feb 20 10:56:32 +0100 2006: > Walter Haidinger schrieb am Samstag, dem 18. Feber 2006: > > > Now, I'd like to setup an OpenLDAP server to store the OpenPGP keys (for > > use with GnuPG). [...] > > However, I was unable to find any schema definiton... > > http://asteria.noreply.org/~weasel/PGPKeyserverSchema.zip Like Walter, I'd like to add OpenPGP keys to an LDAP server, but can't locate the schema used / understood by GnuPG. The file mentioned above has since gone. Where did the schema come from originally? If the license is GPL compatible, would it be possibly to include it as part of the GnuPG documentation? Sascha -- http://sascha.silbe.org/ http://www.infra-silbe.de/ signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users