Re: keys require a user-id
That is very true. I have a friend whose first name is M'Lou and she's had all kinds of issues when systems freak out over her first name. On 5/21/2020 6:48 AM, Mark H. Wood via Gnupg-users wrote: > On Wed, May 20, 2020 at 03:27:28PM -0700, Mark wrote: >> Did a bit more experimenting with it. You can have something only in >> the first name field but it has to be a minimum of 5 characters and the >> first one must be a letter. .. > *sigh* > https://www.kalzumeus.com/2010/06/17/falsehoods-programmers-believe-about-names/ > >> On 5/20/2020 3:16 PM, Mark wrote: >>> It must be... With all the talk of "anonymous" keys I wanted to see if I >>> could create one with Kleopatra, especially since it says optional for >>> name. >>> >>> On 5/20/2020 12:27 AM, Andrew Gallagher wrote: > On 20 May 2020, at 06:32, Mark wrote: > > Just to test this out I tried creating a new key in Kleopatra with no > name and then with just a single name and it would not let me do it. It > had to have a first and at least a last initial. This must be a Kleopatra limitation. I have successfully created IDs consisting of a single word using the gpg command line. Such a limitation would be user-hostile, as there are people in some cultures who have only one name, the Indonesian dictator Suharto being one famous example. >> ___ >> Gnupg-users mailing list >> Gnupg-users@gnupg.org >> http://lists.gnupg.org/mailman/listinfo/gnupg-users > > ___ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: keys require a user-id
Thanks I may take a look at it and just see what it does. I'm still VERY much a novice in regards to all this so just trying to learn more. My "experiment" with Kleopatra was just to see if I could since it said "optional" for the name part. Sorry, not sure who dkg is but have seen those initials mentioned a few times. On 5/21/2020 7:30 AM, Stefan Claas wrote: > Mark wrote: > Hi, > >> Did a bit more experimenting with it. You can have something only in >> the first name field but it has to be a minimum of 5 characters and >> the first one must be a letter. .. > If you are familiar with GnuPG in command line mode you may try out > sequoia pgp, which I compiled a Windows binary for, so that you > can see how easy it is to have UID-less public keyblocks and how > to assign labels for such keys. > > dkg once said IIRC 'less is more', not in this context but this > is what I love about sequoia pgp. > > https://keybase.pub/stefan_claas/software/sequoia-pgp_Win64.zip > > https://docs.sequoia-pgp.org/sq/index.html > > Regards > Stefan > ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: "just invent something..."
Given the number of people that still manage to create (and distribute) their keys with glaring mistakes, such as misspelling their own domain name/tld, or providing a key which doesn't match their email address. Too many people is sending and receiving openpgp emails by actually encrypting the content on a separate application, then pasting it on their MUA (often resulting in the openpgp armor contained in a html/text block! ☹). Which then leads to the occasional mistake of the wrong key being manually chosen. People should *really* use a MUA supporting OpenPGP if they are going to send or receive OpenPGP emails. It's a big mistake that end users think it's normal to process that separately. I don't think relaxing the current uid validation would help with that. Quite the opposite. The stated issue could be solved, while keeping rfc4880 conformance, by adding a skip path on the key creation: > You have chosen not to provide a uid to the new key. It is recommended > to add an identifier. A key specifying no email address will be > severely limited if it is going to be used to send or receive mail, as > it won't be linked with that account. > > If not providing a uid, usage of this key will have to be done using > the user-unfriendly key fingerprint. By continuing with no explicit > uid, GnuPG will automatically fill the uid field with the key > fingerprint A1786ADB27E946D5DC1B5A989EED09D63FCD9AB7 > > > Do you want to create such a key anyway? [y/N] I still wonder if it's worth adding that code for this limited use case, though. On 2020-05-21 at 15:32 +0100, Andrew Gallagher wrote: > you should have a valid key > that has "presid...@whitehouse.gov" in either its User ID or local > alias (as RJH pointed out above). Note you may need to set your alias for "", not "presid...@whitehouse.gov". It will depend on how is gnupg called by the MUA. Best regards ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: FW: gpg-agent connection errors
On 2020-05-20 at 18:22 +, Kent A. Larsen wrote: > I've adding logging to our gpg-agent.conf file, and when these errors > occur the gpg-agent log file has the following error: > 2020-05-18 09:36:07 gpg-agent[3800] error binding socket to '\\Neofs1 > \Userapps\Apps\GnuPG\Keys\S.gpg-agent': Unknown error > Have had three of these just this week already. > What could be causing this, and what can we do to prevent it? > Thanks. Is the program installed on a remote server? I would place the gpg-agent socket on a local filesystem. I don't know how this AF_UNIX socket is actually implemented on Gpg4win (as a named pipe, perhaps?), but your issues might be related to having it on a network filesystem (I'm surprised it works, actually). Cheers ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: "just invent something..."
Robert J. Hansen wrote: > > First, let me mention that Web of Trust is to me not a useful > > public key verification mechanism, as it is compromises my privacy. > > Only if your sigs are exportable. Local sigs are a perfectly > legitimate way to use the WoT. If Alice locally signs Bob's > certificate and sets Bob up as a trusted introducer, Alice can > benefit from Bob vouching for Charlotte's certificate without > revealing her identity to Charlotte -- or even the fact that she > (Alice) even exists. > > > But the question begs: is inventing false information the proper > > way of preventing the leakage of personally identifiable > > information, completely unnecessarily, via programs constructed by > > system architects whose thinking about the privacy is stuck in the > > time long behind us? > > The question is irrelevant. OpenPGP allows you to use true identity > information, false information, or true information about a persona, > or false information about a persona, or a recipe for a nice habanero > salsa. Do what's right for you, and understand that what's right for > you may well be different from what's right for others. > > (Saute two thinly-sliced cloves of garlic in a little oil for a few > minutes until they start releasing the garlicky goodness. Add a pinch > of ground cumin; saute another minute. Add 500g finely-diced tomatoes > and their juices, one habanero finely-diced, cook over low heat for > ten minutes stirring constantly. Once the tomatoes and peppers are > well-cooked, pour into a blender or food processor. Add cilantro and > the juice of one lime, puree the mixture, pour into a bowl. Decorate > with lime slices. And here you thought this mailing list was only > good for nerd stuff...) > > > The proper thing for gpg program to do would be to allow the > > personally identifiable information in the key to be optional, > > It already is. > > > and to warn the user generating such key that he will not be able to > > participate in the Web of Trust. > > But they can. I miss dkg here on the ML ... Regards Stefan -- Signal (Desktop) +4915172173279 https://keybase.io/stefan_claas ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: "just invent something..."
> First, let me mention that Web of Trust is to me not a useful public > key verification mechanism, as it is compromises my privacy. Only if your sigs are exportable. Local sigs are a perfectly legitimate way to use the WoT. If Alice locally signs Bob's certificate and sets Bob up as a trusted introducer, Alice can benefit from Bob vouching for Charlotte's certificate without revealing her identity to Charlotte -- or even the fact that she (Alice) even exists. > But the question begs: is inventing false information the proper way > of preventing the leakage of personally identifiable information, > completely unnecessarily, via programs constructed by system > architects whose thinking about the privacy is stuck in the time long > behind us? The question is irrelevant. OpenPGP allows you to use true identity information, false information, or true information about a persona, or false information about a persona, or a recipe for a nice habanero salsa. Do what's right for you, and understand that what's right for you may well be different from what's right for others. (Saute two thinly-sliced cloves of garlic in a little oil for a few minutes until they start releasing the garlicky goodness. Add a pinch of ground cumin; saute another minute. Add 500g finely-diced tomatoes and their juices, one habanero finely-diced, cook over low heat for ten minutes stirring constantly. Once the tomatoes and peppers are well-cooked, pour into a blender or food processor. Add cilantro and the juice of one lime, puree the mixture, pour into a bowl. Decorate with lime slices. And here you thought this mailing list was only good for nerd stuff...) > The proper thing for gpg program to do would be to allow the > personally identifiable information in the key to be optional, It already is. > and to warn the user generating such key that he will not be able to > participate in the Web of Trust. But they can. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: keys require a user-id
On Wed, May 20, 2020 at 03:27:28PM -0700, Mark wrote: > Did a bit more experimenting with it. You can have something only in > the first name field but it has to be a minimum of 5 characters and the > first one must be a letter. .. *sigh* https://www.kalzumeus.com/2010/06/17/falsehoods-programmers-believe-about-names/ > On 5/20/2020 3:16 PM, Mark wrote: > > It must be... With all the talk of "anonymous" keys I wanted to see if I > > could create one with Kleopatra, especially since it says optional for > > name. > > > > On 5/20/2020 12:27 AM, Andrew Gallagher wrote: > >>> On 20 May 2020, at 06:32, Mark wrote: > >>> > >>> Just to test this out I tried creating a new key in Kleopatra with no > >>> name and then with just a single name and it would not let me do it. It > >>> had to have a first and at least a last initial. > >> This must be a Kleopatra limitation. I have successfully created IDs > >> consisting of a single word using the gpg command line. > >> > >> Such a limitation would be user-hostile, as there are people in some > >> cultures who have only one name, the Indonesian dictator Suharto being one > >> famous example. > ___ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users -- Mark H. Wood Lead Technology Analyst University Library Indiana University - Purdue University Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 317-274-0749 www.ulib.iupui.edu signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: "just invent something..."
On 21/05/2020 14:34, LisToFacTor via Gnupg-users wrote: >> The proper thing for gpg program to do would be to allow the > personally identifiable information in the key to be optional, > and to warn the user generating such key that he will not be able > to participate in the Web of Trust. I think you're getting overly hung up on the web of trust. The contents of the User ID are independent of the WoT - they exist to tell your email program which keys belong to which correspondents. You can use a WoT with keys that have no email addresses in them, so long as the verification chain is cryptographically valid and you have the appropriate settings in your trustdb. Your WoT could be made up of Donald Duck, Mickey Mouse and Goofy - the only time the UID's contents become important (as opposed to its certifications) is when you want to send an email to presid...@whitehouse.gov you should have a valid key that has "presid...@whitehouse.gov" in either its User ID or local alias (as RJH pointed out above). -- Andrew Gallagher signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: keys require a user-id
Mark wrote: Hi, > Did a bit more experimenting with it. You can have something only in > the first name field but it has to be a minimum of 5 characters and > the first one must be a letter. .. If you are familiar with GnuPG in command line mode you may try out sequoia pgp, which I compiled a Windows binary for, so that you can see how easy it is to have UID-less public keyblocks and how to assign labels for such keys. dkg once said IIRC 'less is more', not in this context but this is what I love about sequoia pgp. https://keybase.pub/stefan_claas/software/sequoia-pgp_Win64.zip https://docs.sequoia-pgp.org/sq/index.html Regards Stefan -- Signal (Desktop) +4915172173279 https://keybase.io/stefan_claas ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: "just invent something..."
On 5/21/20 10:52 AM, Ingo Klöcker - kloec...@kde.org wrote: On Donnerstag, 21. Mai 2020 00:14:40 CEST LisToFacTor via Gnupg-users wrote: I suppose you also entered an empty string for "Email address": `` > Real name: Email address: f...@example.com You selected this USER-ID: "f...@example.com" Change (N)ame, (E)mail, or (O)kay/(Q)uit? o [...] ``` A key with above User-ID is generated. You are correct, the e-mail address was likewise an empty string. First, let me mention that Web of Trust is to me not a useful public key verification mechanism, as it is compromises my privacy. I use other methods to make it possible for my correspondents to verify the key. I do not have a/one e-mail address either. At any point in time, I might be using any number of addresses, depending on who I'm communicating with, and none of those addresses is likely to remain in use as long as the key I am generating. None of such e-mail correspondents would have any idea whatsoever what to do with a gpg-encrypted message received from me anyways. On the other hand, for the exchange of personal and confidential messages, I do not use the "conventional" e-mail at all - the encrypted text is exchanged by other means, of which there are myriad. I do know I could have given my name as "Peter P. Pumpkineater" and the e-mail address as "peter.p.pumpkinea...@example.com" and the program would generate the key-pair for me. But the question begs: is inventing false information the proper way of preventing the leakage of personally identifiable information, completely unnecessarily, via programs constructed by system architects whose thinking about the privacy is stuck in the time long behind us? The proper thing for gpg program to do would be to allow the personally identifiable information in the key to be optional, and to warn the user generating such key that he will not be able to participate in the Web of Trust. Wouldn't that be a better system design than demanding the user to provide the false information and treating such information as valid? Especially as one would not be able to participate in the Web of Trust as "Peter P. Pumpkineater", but there is no way for a program to issue any warning for that? ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: "just invent something..."
On Donnerstag, 21. Mai 2020 00:14:40 CEST LisToFacTor via Gnupg-users wrote: > English is not my native tongue, and the word I've chosen is based > on my interpretation of the dialog presented by the program when > generating the key: > > > GnuPG needs to construct a user ID to identify your key. > > > > Real name: > upon entering an empty string, the response is: > ... > > > gpg: [internal]: no User-ID specified > > (and the program quits with no further explanation) > > To me, this appears to qualify as a demand for user's "Real name". I suppose you also entered an empty string for "Email address": ``` $ gpg --gen-key Note: Use "gpg2 --full-generate-key" for a full featured key generation dialog. GnuPG needs to construct a user ID to identify your key. Real name: Email address: You selected this USER-ID: "" Change (N)ame, (E)mail, or (O)kay/(Q)uit? o gpg: [internal]: no User-ID specified ``` Generating a key with empty "Real name" and non-empty "Email address" (and vice versa) works: ``` $ gpg --gen-key Note: Use "gpg2 --full-generate-key" for a full featured key generation dialog. GnuPG needs to construct a user ID to identify your key. Real name: Email address: f...@example.com You selected this USER-ID: "f...@example.com" Change (N)ame, (E)mail, or (O)kay/(Q)uit? o [...] ``` A key with above User-ID is generated. I agree that there could be a more user-friendly error message than "gpg: [internal]: no User-ID specified". In particular, it makes little sense to ask the user if everything is okay if the empty values the user entered do not result in a valid User-ID. Regards, Ingo ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users