Re: Key safety vs Backup : History of a bad day (key-restoration problem)
Why not just pick a strong passphrase and mail a copy to all your email accounts? You would only need to worry about remembering the passphrase. One solution is to pick a bunch of friends who regularly use pgp (maybe even the active members from this list), encrypt the text of you passphrase to these recipients and keep several copies of it at different places (and obviously not mail it to any of the recipients). If ever you forget your passphrase, just ask anyone from the recipient list to decrypt it for you. You can then change the passphrase - no damage done! To be on the safe side, add a symmetric enc key too, with a simple password that you would always remember... yyz __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: A note to Atom Smasher [WAS: Subkey DSA signature changes...]
--- Atom Smasher <[EMAIL PROTECTED]> wrote: > On Tue, 30 Oct 2007, YYZ wrote: > > > Going through the list archives, I came across a few of your > postings > > that seem to indicate that you have more insight into the way > subkey > > self-signatures are generated than what I can gather from the RFC. > > Arguably, it's one of the most confusing sections... > > > > http://lists.gnupg.org/pipermail/gnupg-users/2004-May/022511.html > > > > However, i didn't find any more posts from you explaining how did > you > > manage to generate the missing self-signatures on your subkeys. I'd > > > appreciate if you could share that knowledge with us... > === > > don't try this at home - http://atom.smasher.org/gpg/gpg-migrate.txt > > it's an ugly hack, there's really no reason you should ever have to > do it, > and last i checked it didn't even work with gpg since 1.2.4. > Thanks! I can confirm that it doesn't work anymore. However, I have been able to hack the gpg code to do this, should I ever need to... > > > Since the signatures are computed from the hash of the key material > > > (which differs in the secret and the public key packets), I'd > suppose > > the secret subkey signature to be different from the public subkey > > signature. > = > > it's been a while since i've dug through the RFC... > > RFC2440:11.2. Key IDs and Fingerprints; A V4 fingerprint is the > 160-bit > SHA-1 hash of the one-octet Packet Tag, followed by the two-octet > packet > length, followed by the entire _Public_ Key packet starting with the > version field. > > fingerprint are calculated using just the public parts of the > [sub]key. > Hash used for computing signatures is different from the fingerprint. It changes every time a new signature is generated. However, what you stated is true for signature hashes too - they are computed just using the public parts of the key. Anyway, i got my answers from the gpg source code. When generating a new subkey pair, for some reason, it generates the signature twice, one for the public keyring and one for the private keyring. Can't see the rationale behind it, since it's computed over the same data... yyz __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
A note to Atom Smasher [WAS: Subkey DSA signature changes...]
Atom, Going through the list archives, I came across a few of your postings that seem to indicate that you have more insight into the way subkey self-signatures are generated than what I can gather from the RFC. Arguably, it's one of the most confusing sections... http://lists.gnupg.org/pipermail/gnupg-users/2004-May/022511.html However, i didn't find any more posts from you explaining how did you manage to generate the missing self-signatures on your subkeys. I'd appreciate if you could share that knowledge with us... Since the signatures are computed from the hash of the key material (which differs in the secret and the public key packets), I'd suppose the secret subkey signature to be different from the public subkey signature. However, that doesn't seem to be the case. I found out that they actually have the same hash value. For some weird reason though, the signature itself is different in case of newly generated keys. But when importing from an exported private key or the secret keyring, the secret subkey signature is just copied over to the private keyring. Appreciate if you could offer some insight into this. Thanks! --- YYZ <[EMAIL PROTECTED]> wrote: > > Hi everyone! > > Can anyone exlain this strange gpg behavior, observed when I follow > these steps? > > I use gpg to generate a key-pair using default options (1024D/2048g). > Afterwards, I import the secret keyring into another account, and > issue > the following commands "gpg --export" and "gpg --export-secret-key" > in > both the accounts. > > I noticed that while the second command yeilds identical results, the > output of the first command is slightly different in the two cases > (actually, just the last 44 bytes). A little analysis reveals that > the > bytes that differ are really the two MPIs representing the "r" and > "s" > components of the DSA signature for the ELG subkey. > > Further, if I export my secret keyring to several different accounts/ > computers, all of them end up with identical DSA signature for the > exported subkey (but it's different from the original signature). Can > someone please explain why is it like this? > > Thanks! > > > __ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com > > > ___ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Subkey DSA signature changes after importing secret keyring
Hi everyone! Can anyone exlain this strange gpg behavior, observed when I follow these steps? I use gpg to generate a key-pair using default options (1024D/2048g). Afterwards, I import the secret keyring into another account, and issue the following commands "gpg --export" and "gpg --export-secret-key" in both the accounts. I noticed that while the second command yeilds identical results, the output of the first command is slightly different in the two cases (actually, just the last 44 bytes). A little analysis reveals that the bytes that differ are really the two MPIs representing the "r" and "s" components of the DSA signature for the ELG subkey. Further, if I export my secret keyring to several different accounts/ computers, all of them end up with identical DSA signature for the exported subkey (but it's different from the original signature). Can someone please explain why is it like this? Thanks! __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users