Re: Is there a way to browse the GPG web of trust?
On 10/07/2011 11:56 PM, Jerome Baum wrote: > On 2011-10-07 20:55, Aaron Toponce wrote: >> On Fri, Oct 07, 2011 at 06:56:36PM +0200, Werner Koch wrote: >>> Why at all does this tool use the human readable format? I don't get >>> it. >> >> Probably because the author of sig2dot(1) doesn't know better. > > Why fix what's not broken? I can pretty much guarantee that it is in fact broken, given the range of possible User IDs and various --list-options that could be applied in gpg.conf to affect the human-readable format. I suppose it's possible that no one has actually hit a broken case, or (more likely) that no one has bothered to report such a breakage. Has anyone tried to use sig2dot with a User ID that contains an embedded newline? Or with show-notations or show-keyserver-urls or show-uid-validity set in --list-options? Anyone looking for a quick way to make a contribution to this corner of the OpenPGP toolset could just permute these kinds of changes until you can coax sig2dot into a bad state, and then file a bug report to the upstream author suggesting the use of the machine-readable format (or the perl module GnuPG::Interface, which uses the machine-readable format already, and should handle most of the parsing for you). Just because it currently works in the "normal" case doesn't mean it behaves properly in all cases. Hoping i'm wrong about sig2dot, --dkg signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Is there a way to browse the GPG web of trust?
On 10/07/2011 12:15 PM, Melvin Carvalho wrote: > Thanks I may try and set up a key server in that case. Tho I did read > a report that it can be more work than anticipated. Running a keyserver isn't terribly hard. But you'll need a chunk of disk space (10G at least), a decent amount of RAM (1G), and a reliable network connection (ideally with a static IP). The dominant free keyserver these days is sks, You should subscribe to the discussion list for that project if you plan to run an OpenPGP keyserver: SKS development list Regards, --dkg (co-maintainer of keys.mayfirst.org) signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Is there a way to browse the GPG web of trust?
On 10/8/2011 11:26 AM, Peter Lebbing wrote: > Sounds to me like like Aaron would have tried to fix it if he had > said patience. I missed that message: thank you. :) ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Is there a way to browse the GPG web of trust?
On 08/10/11 10:52, Robert J. Hansen wrote: > On 10/7/2011 11:56 PM, Jerome Baum wrote: >> Why fix what's not broken? > > Nobody has said sig2dot needs to be fixed. However, Aaron Toponce wrote: > I'd be game for submitting a patch, if I had the patience to work with > Perl. Sounds to me like like Aaron would have tried to fix it if he had said patience. Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at http://wwwhome.cs.utwente.nl/~lebbing/pubkey.txt ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Is there a way to browse the GPG web of trust?
On 10/7/2011 11:56 PM, Jerome Baum wrote: > Why fix what's not broken? Nobody has said sig2dot needs to be fixed. Werner asked why the author of sig2dot didn't use the fixed format, which is much better suited for this sort of thing. Saying, "I have spotted something that will someday need to be fixed," is not the same as saying, "we must fix it right now." ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Is there a way to browse the GPG web of trust?
On 2011-10-07 20:55, Aaron Toponce wrote: > On Fri, Oct 07, 2011 at 06:56:36PM +0200, Werner Koch wrote: >> Why at all does this tool use the human readable format? I don't get >> it. > > Probably because the author of sig2dot(1) doesn't know better. Why fix what's not broken? (i.e. who cares if it doesn't use with-colons? It works, right? If it ever breaks, we can change it. But it works for the time being.) -- Q: What is your secret word? A: That's right. Q: What's right? A: Yes. Q: Sir, you're going to have to tell me your secret word. A: What? Q: I said please tell me your secret word. A: What? Q: What's your secret word? A: Yes. Q: Sorry, "yes" is not your secret word. You have two more chances. A: I said what? Q: Yes. A: Right, so you admit I said it. Q: No, you said "yes." A: No, "what!" Q: When? A: When you asked for my secret word! Q: What? A: Yes! Q: I'm sorry, that's incorrect. You have one more chance to say your secret word. A: I'd like to speak to your supervisor. Q: Very well, I'll transfer you. His name is Hu. (http://boingboing.net/2010/05/03/fun-with-a-banks-sec.html) ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Is there a way to browse the GPG web of trust?
On 7 October 2011 20:55, Aaron Toponce wrote: > On Fri, Oct 07, 2011 at 06:56:36PM +0200, Werner Koch wrote: >> On Fri, 7 Oct 2011 11:51, aaron.topo...@gmail.com said: >> > gpg --list-sigs --keyring ~/.gnupg/pubring.gpg | sig2dot > >> > ~/.gnupg/pubring.dot 2> ~/.gnupg/pubring.error.txt >> >> Why at all does this tool use the human readable format? I don't get >> it. > > Probably because the author of sig2dot(1) doesn't know better. > >> We have a machine readable format which is guaranteed to be stable >> and much easier to parse. The --with-colons option was introduced with >> versions 0.2.12 before April 1998. > > I'd be game for submitting a patch, if I had the patience to work with > Perl. I just ran across this too: the GPG web of trust for bitcoin: http://bitcoin-otc.com/viewgpg.php Seems a bit more browsable > > -- > . o . o . o . . o o . . . o . > . . o . o o o . o . o o . . o > o o o . o . . o o o o . o o o > > ___ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > > ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Is there a way to browse the GPG web of trust?
On Fri, 7 Oct 2011 11:51, aaron.topo...@gmail.com said: > gpg --list-sigs --keyring ~/.gnupg/pubring.gpg | sig2dot > > ~/.gnupg/pubring.dot 2> ~/.gnupg/pubring.error.txt Why at all does this tool use the human readable format? I don't get it. We have a machine readable format which is guaranteed to be stable and much easier to parse. The --with-colons option was introduced with versions 0.2.12 before April 1998. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Is there a way to browse the GPG web of trust?
On 7 October 2011 17:54, Aaron Toponce wrote: > On Fri, Oct 07, 2011 at 12:46:32PM +0200, Melvin Carvalho wrote: >> This is awesome, thanks! > > No problem. It's pretty crazy stuff. > >> Is it possible to get a dump of all the signatures in a particular key >> server? > > Possible? Yes. Probable? Maybe. I once setup my own public keyserver, just > because, and found it to chew through 20GB or so, iirc. It's been about 5 > years since setting it up, so I'm guessing it's grown since then. > > If you want all the keys from a keyserver, you'll probably have the best > luck building your own keyserver, taking all the public keys, building a > keyring, and examining the Web of Trust on that. With that said, I would be > willing to bet that something of that magnitude would be rather CPU and RAM > intensive. You would probably want to take advantage of some pretty serious > hardware to make it practical. Thanks I may try and set up a key server in that case. Tho I did read a report that it can be more work than anticipated. > > If someone has better advice, you'll likely get it here. :) > >> BTW: Just as a side note, I am studying "web of trust" as a general >> concept (hopefully to become part of a PhD). There is also the "FOAF" >> web of trust, which is bigger (say 100 million plus) but perhap not as >> high quality as GPG. Im also looking at the data in >> http://convergence.io/ ... it might be an idea to try and map all the >> different web of trusts on the internets and collate the data together > > Will your discertation be available publicly? I'm still at a very early stage. But I see no point in writing a phd ("contribution to knowledge") unless it is publicly available. > > -- > . o . o . o . . o o . . . o . > . . o . o o o . o . o o . . o > o o o . o . . o o o o . o o o > > ___ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > > ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Is there a way to browse the GPG web of trust?
On 7 October 2011 11:51, Aaron Toponce wrote: > On Fri, Oct 07, 2011 at 10:26:59AM +0200, Melvin Carvalho wrote: >> Just wondering is there a way to browse the GPG web of trust? >> >> Is some of the signing data public and downloadable, or is it mainly private? > > Yes, and no. The Web of Trust is just a web centered around a specific > keyring. If you have a specific keyring, you can view that key's Web of > Trust. All you're looking at are signatures. It becomes a bit troublesome > after a while, because you look not only at that key's signatures, but the > signatures of those who signed the key as well. > > If you want a graphical view of a Web of Trust, here is a quick shell > script you can run that ends up with a GIF you can view an any image > editor. You'll need GnuPG, of course, as well as signing-party (which > provides sig2dot), graphviz (which provides neato) and imagemagik (which > provides convert): > > gpg --list-sigs --keyring ~/.gnupg/pubring.gpg | sig2dot > > ~/.gnupg/pubring.dot 2> ~/.gnupg/pubring.error.txt > neato -Tps ~/.gnupg/pubring.dot > ~/.gnupg/pubring.neato.ps > convert ~/.gnupg/pubring.neato.ps ~/.gnupg/pubring.gif > > The more signatures and keys in that keyring, the more complex the Web of > Trust could be, and the longer it may take to generate that GIF. On my > Intel dualcore laptop, I rendered a keyring for a friend, and it took over > 30 minutes. So, be patient. Here's mine (using the script above): > > http://aarontoponce.org/pubring.gif > > Further, there is also the "Strong Set", which is said to be the largest > Web of Trust on the Internet. You can view that web here: > > http://pgp.cs.uu.nl/plot/ > > As an interesting sidenote, the top 25 keys, and all but 15 of the top 50 > keys in that web belong to contributors of the Debian project (or so I've > been told). This is awesome, thanks! Is it possible to get a dump of all the signatures in a particular key server? BTW: Just as a side note, I am studying "web of trust" as a general concept (hopefully to become part of a PhD). There is also the "FOAF" web of trust, which is bigger (say 100 million plus) but perhap not as high quality as GPG. Im also looking at the data in http://convergence.io/ ... it might be an idea to try and map all the different web of trusts on the internets and collate the data together ... > > -- > . o . o . o . . o o . . . o . > . . o . o o o . o . o o . . o > o o o . o . . o o o o . o o o > > ___ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > > ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Is there a way to browse the GPG web of trust?
Just wondering is there a way to browse the GPG web of trust? Is some of the signing data public and downloadable, or is it mainly private? ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users