Mailing List Archive

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

>>>>> "SR" == Subba Rao <subb3@attglobal.net> writes:

SR> I have sucessfully installed GPG on my linux system and
SR> generated the keys of myself. One of my users has genrated his
SR> set of keys too. How can I authenticate the mail from this
SR> user, when he sends it while away from the office?

Email verification is one of the main uses of public-key encryption
tools (like GPG). So, you're definitely not alone. :-)

Your user -will- generally need to have his secret key available on
the machine that his/her mail program is on. The user will _sign_ the
message with his/her secret key, and then you can use their public
key to verify the message. The steps necessary are probably as
follows:

1) The user should use the "gpg --export" command to export their public
key to a file. You can then use the "gpg --import" command to import
their public key into your personal keyring.

2) If they will be working from a different machine, the user should
copy their secret ring to the new machine (just copying ~/.gnupg works
fine). They can also use "gpg --export" to export the key, and
re-import it on the new machine.

NOTE NOTE NOTE that the secret key and secret key ring is the
_MOST_PRECIOUS_ item in GPG, and utmost care should be taken in
moving it around. DEFINITELY make sure that he/she doesn't leave
the key or keyring anywhere out of his/her control! This cannot be
emphasized enough.

3) The user can then use a mail program to "sign" the message. If
their mail program doesn't support GPG, they can write the message
in a text editor, and then use the command "gpg --clearsign
[message]" to sign the file. They can then cut-and-paste the file
(with signature) into the mailer. NOTE that some mailers like
Netscape or Outlook will convert plain text mail to HTML or RTF by
default. Make sure that they use whatever settings necessary to
make the mail "plain text."

The "signature" will be a few lines of text around the body of the
message. You can see an example in this current email message.

4) When you receive the message, you can use a GPG-aware mailer to
"verify" the signed message. If you don't have a GPG-aware mailer,
you can save the message to a file, and use "gpg --verify" to
verify that the message is indeed from your user.

Another method that may be easier is to have your user log on to the
machine where you already have GPG installed, and use a mailer
there. HOWEVER!! Please note that they should use a secure terminal
program to log in to the machine, like SSH. ****Using Rlogin or telnet
is very bad****, since they will send their GPG passphrase over the
network without any encryption. Don't do that! Repeat: don't do that!

I hope that that helps somewhat. There are a number of GPG-aware mail
programs available from this URL:

http://www.gnupg.org/download.html

One that is very popular is Mutt (http://www.mutt.org/).

Anyways, good luck.

~Mr. Bad

- --
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mr. Bad <mr.bad@pigdog.org>
Pigdog Journal | http://pigdog.org/ | RoR - Alucard
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE4iiuwbZezvPSYodkRAkaHAJ9HQN4mbbaKi2GnEIJza7zFDbJKNACfQKRq
Qv8fF8T5VBQ1HxxFOEAqDfo=
=MfmX
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

>>>>> "B" == Bad <mr.bad@pigdog.org> writes:

B> 3) The user can then use a mail program to "sign" the
B> message. [...] The "signature" will be a few lines of text around the body
B> of the message. You can see an example in this current email
B> message.

One thing that I forgot to mention, and that many new users forget, is
that -after- the message is signed, they _should_not_ edit the
message. The signature is for the message AS IS. Even changing a
single space or return will invalidate the signature!

If they need to edit the message after signing, they should go back to
the original message text, edit _THAT_, and then re-sign the message.

~Mr. Bad

- --
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mr. Bad <mr.bad@pigdog.org>
Pigdog Journal | http://pigdog.org/ | RoR - Alucard
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE4ijGQbZezvPSYodkRAvnZAJ0VsynBkqHtJdyt107igsTSqNRTJACfVjSZ
hnPeBhVW7LSt2I0rvoqIyq4=
=q6qw
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 22 Jan 2000, Mr. Bad wrote:
> One thing that I forgot to mention, and that many new users forget, is
> that -after- the message is signed, they _should_not_ edit the
> message. The signature is for the message AS IS. Even changing a
> single space or return will invalidate the signature!

I wonder if the next RFC for PGP will add a protocol that only counts
printable characters and IGNORES ALL WHITESPACE characters for the purpose
of calculating checksums. I bet that it would alleviate (or mask?) a lot
of problems with mail programs that try to "pretty-up" messages, do
CR-CRLF conversions, etc...

Does anyone know if this idea has been discussed before?

Erik Rossen ^
rossen@freesurf.ch /e\
http://www.multimania.com/rossen --- GPG key ID: 2935D0B9

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.0 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE4ivZEY88aPik10LkRArfZAJ4xx5z+rpbE77Jj1V6AaIp8MP1KGQCfRkHd
83D2m1zBo19DZvgnHDiO2sg=
=7SQX
-----END PGP SIGNATURE-----

On Sun, 23 Jan 2000, Erik Rossen wrote:

> I wonder if the next RFC for PGP will add a protocol that only counts
> printable characters and IGNORES ALL WHITESPACE characters for the purpose
> of calculating checksums. I bet that it would alleviate (or mask?) a lot

You cant do this as it changes the semantics of a message:
A B C
==== ===== ====
3000 20000
50 700
4000 100

would be the same as

A B C
==== ===== ====
3000 20000
50 700
4000 1000

I guess you don't want this. Stripping trailing white spaces does not
do chnages like this.

> of problems with mail programs that try to "pretty-up" messages, do
> CR-CRLF conversions, etc...

It is all well defined in OpenPGP, but PGP 2 and 5 did different
things.


--
Werner Koch at guug.de www.gnupg.org keyid 621CC013

Boycott Amazon! - http://www.gnu.org/philosophy/amazon.html

Werner Koch <wk@gnupg.org> writes:

> > of problems with mail programs that try to "pretty-up" messages, do
> > CR-CRLF conversions, etc...
>
> It is all well defined in OpenPGP, but PGP 2 and 5 did different
> things.

OpenPGP doesn't specify what to do with U+2028 (LINE SEPARATOR) and
U+2029 (PARAGRAPH SEPARATOR). Shall an implementation convert them to
CRLF or not?

--
Florian Weimer Florian.Weimer@RUS.Uni-Stuttgart.DE
RUS-CERT, Univ. Stuttgart http://cert.uni-stuttgart.de/

On Mon, 24 Jan 2000, Florian Weimer wrote:

> OpenPGP doesn't specify what to do with U+2028 (LINE SEPARATOR) and
> U+2029 (PARAGRAPH SEPARATOR). Shall an implementation convert them to
> CRLF or not?

It does. When speaking about CR or LF is does mean the codes 0x0d
and 0x0a. Codes > 0x7f are not used in OpenPGP. How you encode the
message is not subject to OpenPGP and for user IDs and other strings
used within OpenPGP packets UTF-8 encoding is required.

So if you want to use these characters, there must be a reason for
this and you probably should not convert them. Due to RFC822
restrictions you have to encode those characters anyway. Do not use
ascii armor but RFC2015 for such messages.

--
Werner Koch at guug.de www.gnupg.org keyid 621CC013

Boycott Amazon! - http://www.gnu.org/philosophy/amazon.html

Werner Koch <wk@gnupg.org> writes:

> On Mon, 24 Jan 2000, Florian Weimer wrote:
>
> > OpenPGP doesn't specify what to do with U+2028 (LINE SEPARATOR) and
> > U+2029 (PARAGRAPH SEPARATOR). Shall an implementation convert them to
> > CRLF or not?
>
> It does. When speaking about CR or LF is does mean the codes 0x0d
> and 0x0a. Codes > 0x7f are not used in OpenPGP. How you encode the
> message is not subject to OpenPGP and for user IDs and other strings
> used within OpenPGP packets UTF-8 encoding is required.

What about signatures of plain text documents encoded in UTF-8? (This
is, of course, not related to MIME-PGP messages, because RFC 2015
ensures that the message is encoded in pure ASCII before the signature
is calculated, as you explained.)

RFC 2440, 5.2.1:

| 0x01: Signature of a canonical text document.
| Typically, this means the signer owns it, created it, or
| certifies that it has not been modified. The signature is
| calculated over the text data with its line endings converted
| to <CR><LF> and trailing blanks removed.

If I interpret RFC 2440 correctly, the text document can be encoded
via UTF-8, and the term `line ending' is a bit ambiguous in this
context: Does it include U+2028 or not? (The common interpretation
seems to be that it doesn't, though.)

--
Florian Weimer Florian.Weimer@RUS.Uni-Stuttgart.DE
RUS-CERT, Univ. Stuttgart http://cert.uni-stuttgart.de/

On Mon, 24 Jan 2000, Florian Weimer wrote:

> If I interpret RFC 2440 correctly, the text document can be encoded
> via UTF-8, and the term `line ending' is a bit ambiguous in this
> context: Does it include U+2028 or not? (The common interpretation
> seems to be that it doesn't, though.)

line endings are

LF on Unix
CR on Macs
CR,LF on Dos

--
Werner Koch at guug.de www.gnupg.org keyid 621CC013

Boycott Amazon! - http://www.gnu.org/philosophy/amazon.html