Mailing List Archive

Hi all...

Michael's message brought to mind something I've been thinking about. I
don't know how many of you out there know much about administering
USENET servers, but one of the newer features is PGP-signed control
messages, for creating, removing, and renaming newsgroups.

If you enable it, you can be sure that only the "approved" party can
have newsgroups automatically created/removed/renamed on your system.
This is quite handy.

The problem is that the PGP people feel that this is a commercial use of
PGP, and they require you to purchase a license to use it. Not only
that, but you can't just get a personal license, you have to get a
more expensive license, according to them.

It doesn't seem likely, right now, that we can convince the ISC folks to
start signing control messages with GnuPG instead (maybe later once
GnuPG is more widely accepted), but if we could use GnuPG to verify the
PGP signatures that would be very cool and we wouldn't need a PGP
license.

Unfortunately I'm a rank newbie at this, and I also don't have lots of
time to spend learning more :(, but I'd be happy to either provide a PGP
public key and sample message for someone to test with, or do some
experimenting myself if given a couple-line description of how it
_should_ work... maybe just a gpg command line for importing the PGP key
onto the gpg keyring (or can gpg read the PGP keyring?) and one for
verifying the message:

$ gpg <some-options-here> < test-msg.txt && echo "Verified!"

If I get it working I'd be happy to write up the steps needed to
integrate it into an INN installation.

Or is this not going to work for some reason?

--
-------------------------------------------------------------------------------
Paul D. Smith <psmith@baynetworks.com> Network Management Development
"Please remain calm...I may be mad, but I am a professional." --Mad Scientist
-------------------------------------------------------------------------------
These are my opinions--Bay Networks takes no responsibility for them.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I believe that GPG can verify pgp signatures. What I have been trying to
do is let 'gpg -c' be able to encrypt multiple files. I have it working
basically, I just need to find a way to cache the encryption key so that
you don't have to type in the passphrase for every file you wish to
encrypt. I think I have an idea about this and I will try to work on it.
Then I guess I need to do the same thing for decryption too. I haven't
looked at it, but I have a feeling that decrypting multiple files might be
tougher.

Kirk Fort

On Fri, 11 Sep 1998, Paul D. Smith wrote:

> Hi all...
>
> Michael's message brought to mind something I've been thinking about. I
> don't know how many of you out there know much about administering
> USENET servers, but one of the newer features is PGP-signed control
> messages, for creating, removing, and renaming newsgroups.
>
> If you enable it, you can be sure that only the "approved" party can
> have newsgroups automatically created/removed/renamed on your system.
> This is quite handy.
>
> The problem is that the PGP people feel that this is a commercial use of
> PGP, and they require you to purchase a license to use it. Not only
> that, but you can't just get a personal license, you have to get a
> more expensive license, according to them.
>
> It doesn't seem likely, right now, that we can convince the ISC folks to
> start signing control messages with GnuPG instead (maybe later once
> GnuPG is more widely accepted), but if we could use GnuPG to verify the
> PGP signatures that would be very cool and we wouldn't need a PGP
> license.
>
> Unfortunately I'm a rank newbie at this, and I also don't have lots of
> time to spend learning more :(, but I'd be happy to either provide a PGP
> public key and sample message for someone to test with, or do some
> experimenting myself if given a couple-line description of how it
> _should_ work... maybe just a gpg command line for importing the PGP key
> onto the gpg keyring (or can gpg read the PGP keyring?) and one for
> verifying the message:
>
> $ gpg <some-options-here> < test-msg.txt && echo "Verified!"
>
> If I get it working I'd be happy to write up the steps needed to
> integrate it into an INN installation.
>
> Or is this not going to work for some reason?
>
> --
> -------------------------------------------------------------------------------
> Paul D. Smith <psmith@baynetworks.com> Network Management Development
> "Please remain calm...I may be mad, but I am a professional." --Mad Scientist
> -------------------------------------------------------------------------------
> These are my opinions--Bay Networks takes no responsibility for them.
>
-----BEGIN PGP SIGNATURE-----
Version: GNUPG v0.3.4 (FreeBSD)
Comment: Get GNUPG from ftp://ftp.guug.de/pub/gcrypt/

iEYEARECAAYFAjX5YfQACgkQf+niZZlBRVO2LwCfWIdS3IthbuYMhaYn6nvlaN5K3EEAn37c
x0p9fi6SfAUllkB7xf43U8aC
=l8sb
-----END PGP SIGNATURE-----

Michael Roth <mroth@nessie.de> writes:

> IMHO gnupg should auto detected the extension IDEA and use MD5 by
> default.

I don't know from where you have idea ;) - Do you have a licence from
Ascom to use it, or are you only doing research :-)

I will never add (direct) support for an patented algorithm; RSA is an
exception as it is only patented in the U.S. There is no need for
IDEA - if you need encryption use GNUPG or PGP 5 (w/0 IDEA)

> Of course depending on specific extensions in the main programm
> isn't a good thing at all, but in this special case I think it's

Not for this case (IDEA).

> 2.) When I encrypt a file using gnupg with the command line:
> "gpg --load-extension idea --cipher-algo idea --digest-algo md5 -c FILE"
> PGP can read this file but not decrypt. I only get a "Bad pass phrase"
> error. :-(

You should add --rfc1991, so that gnupg does not generate salted
passphrases [does the option really work in this case].

S2K identifiers are an OpenPGP extension and available in PGP2. They
are useful to make dictionary attacks more time consuming.

> 3.) It looks like that the gnupg option '--list-packets' is really broken.
> In the near future I will make further investigations on this problem.

It is not really broken, but it can only list packtes which gnupg
knows how to process. It is more than dump of the packets: You
are able to see the structure of encrypted packets (if you have the
secret key/passphrase).

It is on my TODO list to make it more useful. Note, that you can use
"-vv" in most cases to get a raw dump of the packets as thea are
parsed.

> P.S.: Where can I find OpenPGP draft/standard/faq/information?

Its called draft-ietf-openpgp-formats-07.txt and available at:

To view the entire list of current Internet-Drafts, please check the
"1id-abstracts.txt" listing contained in the Internet-Drafts Shadow
Directories on ftp.is.co.za (Africa), ftp.nordu.net (Northern
Europe), ftp.nis.garr.it (Southern Europe), munnari.oz.au (Pacific
Rim), ftp.ietf.org (US East Coast), or ftp.isi.edu (US West Coast).


Werner

"Paul D. Smith" <psmith@BayNetworks.COM> writes:

> It doesn't seem likely, right now, that we can convince the ISC folks to
> start signing control messages with GnuPG instead (maybe later once

gnupg can be used outside of the U.S. for this task by using the RSA
extension module. Give it a try and write me which bugs I have to
fix.

> If I get it working I'd be happy to write up the steps needed to
> integrate it into an INN installation.
>
> Or is this not going to work for some reason?


You have the RSA problem in the U.S. that is the only reason why it
may not work there.


Werner