Re: Secret key Questions regarding expiration and backing up

[Daniel Kahn Gillmor]

On Fri 2016-10-14 19:16:45 -0400, Andrew Gallagher wrote:

> my understanding is that a copy of some public key information (such
> as expiry dates) is kept in the corresponding secret key store, and
> this will be updated when the public key is edited.

This is exactly correct.  see:
https://tools.ietf.org/html/rfc4880#section-5.5.3

   The Secret-Key and Secret-Subkey packets contain all the data of the
   Public-Key and Public-Subkey packets, with additional algorithm-
   specific secret-key data appended, usually in encrypted form.

Regards,

--dkg


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Secret key Questions regarding expiration and backing up

[Andrew Gallagher]

On 14 Oct 2016, at 23:49, g...@noffin.com wrote:

> So for clarification then:
> 
> If there are no expiry dates on secret keys, what does this output mean then?
> 
> #gpg --list-secret-keys
> 
> 
> sec   2048R/ 2014-10-30 [expires: 2017-10-31]
> 

The expiry date shown here is just a copy of the one on the public key. It is 
checked by gnupg to prevent it making signatures with a secret key that has an 
expired public key (and which are therefore unverifiable by others). I suppose 
you could think of this as being the expiry of the secret key, but it is always 
the same as that of the public key and the one on the public key is the 
important one.

> And my next question is then... When I exported my secret key and moved it
> to another machine - why did the contents of the export to file change
> between the extension of the expiration date? (I exported before and after
> to test).

I'll defer to someone more expert than me on the internals, but my 
understanding is that a copy of some public key information (such as expiry 
dates) is kept in the corresponding secret key store, and this will be updated 
when the public key is edited.

Andrew.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Secret key Questions regarding expiration and backing up

[gpg]

> On 14 Oct 2016, at 19:11, g...@noffin.com wrote:
>>
>> Hi there - pretty new with GPG, but have been getting going with it
>> without much issue. I'm just curious about a few best practices and so
>> on.
>>
>> 1) Should you set an expiration on your secret key? Or do most people
>> just
>> secure it appropriately (with no expiration)?
>
> Secret keys don't have expiration dates, only public keys. Best practice
> is to set an expiration date of a year or two in the future on the primary
> key, and either the same or shorter on your subkeys (I use the same expiry
> myself, for simplicity).
>
> The reason for this is that you may lose your secret material or forget
> your password, and you don't want stale keys hanging around on the
> internet forever with no indication that they are no longer usable.
>
>> 2) If you do have the secret key expire, and I have a backup of it (file
>> format) - And for some reason I forget to extend it before expiration -
>> can I still extend it?
>
> Yes. Just edit the public key and republish. The expiration date only
> informs other people that their software should stop using the key - it
> doesn't prevent you from doing anything.
>
> Andrew
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>


So for clarification then:

If there are no expiry dates on secret keys, what does this output mean then?

#gpg --list-secret-keys


sec   2048R/ 2014-10-30 [expires: 2017-10-31]


And my next question is then... When I exported my secret key and moved it
to another machine - why did the contents of the export to file change
between the extension of the expiration date? (I exported before and after
to test).

Thanks in advance!




___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Secret key Questions regarding expiration and backing up

[Andrew Gallagher]

On 14 Oct 2016, at 19:11, g...@noffin.com wrote:
> 
> Hi there - pretty new with GPG, but have been getting going with it
> without much issue. I'm just curious about a few best practices and so on.
> 
> 1) Should you set an expiration on your secret key? Or do most people just
> secure it appropriately (with no expiration)?

Secret keys don't have expiration dates, only public keys. Best practice is to 
set an expiration date of a year or two in the future on the primary key, and 
either the same or shorter on your subkeys (I use the same expiry myself, for 
simplicity). 

The reason for this is that you may lose your secret material or forget your 
password, and you don't want stale keys hanging around on the internet forever 
with no indication that they are no longer usable. 

> 2) If you do have the secret key expire, and I have a backup of it (file
> format) - And for some reason I forget to extend it before expiration -
> can I still extend it?

Yes. Just edit the public key and republish. The expiration date only informs 
other people that their software should stop using the key - it doesn't prevent 
you from doing anything.

Andrew

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Secret key Questions regarding expiration and backing up

[gpg]

Hi there - pretty new with GPG, but have been getting going with it
without much issue. I'm just curious about a few best practices and so on.

1) Should you set an expiration on your secret key? Or do most people just
secure it appropriately (with no expiration)?

2) If you do have the secret key expire, and I have a backup of it (file
format) - And for some reason I forget to extend it before expiration -
can I still extend it?

I did a few tests exporting a secret key before and after extending the
expiration date - and obviously the file contents changed. I just want to
be sure that I have a good backup of it, however follow best practices.

Thank you.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: unable to decrypt a mail coming from apple mail

[ng0]

Stephan Beck  writes:

> Hi,
>
> ng0:
>> Hi,
>> 
>> I've just got an email where the X-Mailer is Apple Mail. It adds some
>> bits and pieces, is a 7bit Content-Transfer-Encoding and I fail to
>> decrypt it with gpg --decrypt (applied to the email as a file and also
>> when applied to the BEGIN/END PGP block).
>> The key is imported, still valid and yet I get:
>> gpg: decryption failed: No secret key
>> 
>> I'm running an unaltered Guix build here:
>> ng0@shadowwalker ~$ gpg --version
>> gpg (GnuPG) 2.1.13
>> libgcrypt 1.7.3
>
> have you checked the bug tracker at (1) ?
> There are several entries for
> gpg: decryption failed: No secret key.
>
> when you enter this very phrase into the search entry mask.
>
> Maybe there you'll find what you are looking for.
>
> Cheers
>
> Stephan
>
> (1) https://bugs.gnupg.org
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>

>From the subjects of those 9 bugs I don't see how they are related to my
problem. Nevertheless I will read into them in the next days.

Thanks

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

mentors needed for the PGP Clean Room project in Outreachy/GSoC

[Daniel Pocock]

Hi all,

I've advertised[1] the PGP Clean Room in the current round of Outreachy
and it will probably be promoted in GSoC 2017 too.

We already have a couple of applicants interested in working on it,
their details are in the pki-clean-room list archive[2]

Would anybody from the GnuPG community be interested in collaborating as
a co-mentor on this project?  If so, please feel free to email me and/or
subscribe to the pki-clean-room mailing list[3].

Regards,

Daniel


1. https://danielpocock.com/outreachy-gsoc-2017-pki-clean-room
2.
http://lists.alioth.debian.org/pipermail/pki-clean-room-devel/Week-of-Mon-20161010/date.html
3. https://lists.alioth.debian.org/mailman/listinfo/pki-clean-room-devel

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: unable to decrypt a mail coming from apple mail

[Stephan Beck]

Hi,

ng0:
> Hi,
> 
> I've just got an email where the X-Mailer is Apple Mail. It adds some
> bits and pieces, is a 7bit Content-Transfer-Encoding and I fail to
> decrypt it with gpg --decrypt (applied to the email as a file and also
> when applied to the BEGIN/END PGP block).
> The key is imported, still valid and yet I get:
> gpg: decryption failed: No secret key
> 
> I'm running an unaltered Guix build here:
> ng0@shadowwalker ~$ gpg --version
> gpg (GnuPG) 2.1.13
> libgcrypt 1.7.3

have you checked the bug tracker at (1) ?
There are several entries for
gpg: decryption failed: No secret key.

when you enter this very phrase into the search entry mask.

Maybe there you'll find what you are looking for.

Cheers

Stephan

(1) https://bugs.gnupg.org

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users