Mailing List Archive

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, Mar 15, 2000 at 02:40:34PM -0800, L. Sassaman wrote:
> Do you have the old key set as the default key in your .gnupg/options
> file?

Yup. I have partially fixed the problem by forcing my ID in mailcrypt,
but I'd still like gpg to handle things correctly.

- --Chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: Processed by Mailcrypt 3.5.5 and Gnu Privacy Guard <http://www.gnupg.org/>

iEYEARECAAYFAjjQEmUACgkQfrrCpthD+UZPRACcDH34AMGV5etLGLzpp17E//ca
fAgAn0IYpU2Mh+HxhNo6Z2nB0prF98Gg
=doLE
-----END PGP SIGNATURE-----

On Wed, Mar 15, 2000 at 02:44:56PM -0800, Christopher Smith wrote:
> On Wed, Mar 15, 2000 at 02:40:34PM -0800, L. Sassaman wrote:
> > Do you have the old key set as the default key in your .gnupg/options
> > file?
> Yup. I have partially fixed the problem by forcing my ID in mailcrypt,
> but I'd still like gpg to handle things correctly.
I need to clarify this:

1) By forcing the ID in .gnupg/options, I AM able to properly sign messages.
2) However, if I want to send self-encrypted messages, I have to
specify the key ID. If I specify a user id, GPG wants to use my old,
expired public key. This despite the fact that it's disabled (indeed,
if I disable the old key, GPG exits with a failure if I try to encrypt
to my own user id).

--Chris

On Wed, Mar 15, 2000 at 04:44:38PM -0800, L. Sassaman wrote:
> On Wed, 15 Mar 2000, Christopher Smith wrote:
> > On Wed, Mar 15, 2000 at 02:44:56PM -0800, Christopher Smith wrote:
> > > On Wed, Mar 15, 2000 at 02:40:34PM -0800, L. Sassaman wrote:
> > > > Do you have the old key set as the default key in your .gnupg/options
> > > > file?
> > > Yup. I have partially fixed the problem by forcing my ID in mailcrypt,
> > > but I'd still like gpg to handle things correctly.
> > I need to clarify this:
> >
> > 1) By forcing the ID in .gnupg/options, I AM able to properly sign messages.
> > 2) However, if I want to send self-encrypted messages, I have to
> > specify the key ID. If I specify a user id, GPG wants to use my old,
> > expired public key. This despite the fact that it's disabled (indeed,
> > if I disable the old key, GPG exits with a failure if I try to encrypt
> > to my own user id).
> Set the "Encrypt-to" option in the .gnupg/options file.
Well, that did indeed fix it, although it is really only a work
around. Why can't GPG select the version of a public signature that
has not expired?

> And while you're fussing with config files, fix your email client not to
> use PGP/MIME. :)
Hey, I'd think that on this list of all places PGP/MIME would be well
regarded.

--Chris

El mié, 15 de mar de 2000, a las 04:52:23 -0800, L. Sassaman dijo:
> On Wed, 15 Mar 2000, Christopher Smith wrote:
>
> > > And while you're fussing with config files, fix your email client not to
> > > use PGP/MIME. :)
> > Hey, I'd think that on this list of all places PGP/MIME would be well
> > regarded.
>
> It is my opinion that PGP/MIME should not exist. Most of the list members
> probably dislike it as well, though I doubt many share my extreme hatred
> for it. ASCII-Armored messages are good.

PGP/MIME is no problem, may be the problem is that either pine doesn't
handle it well or you haven't configured it to handle it properly.

Mutt parses both PGP/MIME and application/pgp well, and I see no trouble
with it.

For instance, Cristopher's sig output:

[.-- Salida de PGP a continuación (tiempo actual: Thu Mar 16 09:26:04
2000) --]
gpg: Signature made jue 16 mar 2000 01:41:14 CET using DSA key ID
D843F946
gpg: Can't check signature: public key not found
[-- Fin de salida PGP --]

[-- Lo siguiente esta firmado con PGP/MIME --]


whereas yours:

[.-- Salida de PGP a continuación (tiempo actual: Thu Mar 16 09:30:12
2000) --]
gpg: Signature made jue 16 mar 2000 01:52:33 CET using DSA key ID
09AC0A6A
gpg: Can't check signature: public key not found

[-- Fin de salida PGP --]

[-- PRINCIPIO DEL MENSAJE FIRMADO CON PGP --]


So, where's the big difference? Your mailer could make the difference,
of course :)


--
Horacio Anno MMDCCLIII aUC
homega@ciberia.es Valencia - ESPAÑA
--------------------------------------------------------------------
Key fingerprint = F4EE AE5E 2F01 0DB3 62F2 A9F4 AD31 7093 4233 7AE6

On Wed, 15 Mar 2000, L. Sassaman wrote:

> > around. Why can't GPG select the version of a public signature that
> > has not expired?
>
> It ought to. Ask Werner.

Seems that there is really a bug with expired keys. I'll look into
it.

> It is my opinion that PGP/MIME should not exist. Most of the list members
> probably dislike it as well, though I doubt many share my extreme hatred
> for it. ASCII-Armored messages are good.

<holywar>
RFC2015 is an Internet Standard, so that should be used. It has many
advantages over the old ascii armor. It is the only way to sign or
encrypt MIME mails - or do you still want to use uuencode?
</holywar>


Werner

El jue, 16 de mar de 2000, a las 10:46:34 +0000, Michael Stevens dijo:
> On Thu, Mar 16, 2000 at 10:46:58AM +0100, Werner Koch wrote:
> > <holywar>
> > RFC2015 is an Internet Standard, so that should be used. It has many
> > advantages over the old ascii armor. It is the only way to sign or
> > encrypt MIME mails - or do you still want to use uuencode?
> > </holywar>
>
> <aol>I agree</aol>

... sure, but you can't always go around telling people to "go and get a
better mailer" (uh... I think I just did that a while ago ;) it their
mailers don't parse PGP/MIME correctly, in which case, having a mailer
that can deal with both sending the new and old ways is helpful.

In any case you still need to know beforehand which way the receiver's
mailer can handle, and that makes sending signed mails to mailing lists
pretty pointless.

--
Horacio Anno MMDCCLIII aUC
homega@ciberia.es Valencia - ESPAÑA
--------------------------------------------------------------------
Key fingerprint = F4EE AE5E 2F01 0DB3 62F2 A9F4 AD31 7093 4233 7AE6

On Thu, Mar 16, 2000 at 10:46:58AM +0100, Werner Koch wrote:
> <holywar>
> RFC2015 is an Internet Standard, so that should be used. It has many
> advantages over the old ascii armor. It is the only way to sign or
> encrypt MIME mails - or do you still want to use uuencode?
> </holywar>

<aol>I agree</aol>

On Thu, 16 Mar 2000, Horacio MG wrote:

> ... sure, but you can't always go around telling people to "go and get a
> better mailer" (uh... I think I just did that a while ago ;) it their

Why not. Use HTML mail with a link "Best verified with Mutt". :-)


Werner

wk@gnupg.org said:
> On Thu, 16 Mar 2000, Horacio MG wrote:
>> ... sure, but you can't always go around telling people to "go and get a
>> better mailer" (uh... I think I just did that a while ago ;) it their

> Why not. Use HTML mail with a link "Best verified with Mutt". :-)

or exmh...

El jue, 16 de mar de 2000, a las 11:29:33 -0800, L. Sassaman dijo:
> On Thu, 16 Mar 2000, Horacio MG wrote:
>
> If you were to send a plain text message, with no attachments, would you
> use MIME? Then why use MIME for PGP? ASCII-Armored messages are the
> standard. And they work very well.

isn't ascii-armored an *old* standard and mime a (fairly) *new*
standard?

> > Mutt parses both PGP/MIME and application/pgp well, and I see no trouble
> > with it.
>
> Not everyone uses Mutt. You would be laughed at if you spoke up in defence
> of Rich Text Email, by saying "Outlook handles both Rich Text and HTML
> well," even though that is true.

I don't think it's fair to put HTML and MIME on the same level. See,
this seems to be as your personal crussade against MIME.

I haven't heared anyone complaining about MIME in the way you are doing
it. If someone complains about not being able to handle my PGP/MIME
sig, no problem, I switch to application/pgp for him and that's about
it.

The problem comes when sending sig'ed mail to mailing lists, there you
can't have it right for everyone. But then again, some people have
their own crussade against sending sig'ed mail to mailing lists.

> Exactly. And, seeing that there is no significant reason to form a
> detached signature when signing a plain text message, I declare Mutt, and
> all mailers that implement *only* PGP/MIME for email transport, to be
> broken.

As I said earlier on this message (and on my other message as well) mutt
handles both. Therefore, why don't you declare broken any mailer which
does not implement any of them? Sounds a bit fairer to me.

> Just my opinion, of course. But it's the right one. :)

Of course, everyone's opinion is its own one, and it makes sense that
you stand by it.

--
Horacio Anno MMDCCLIII aUC
homega@ciberia.es Valencia - ESPAÑA
--------------------------------------------------------------------
Key fingerprint = F4EE AE5E 2F01 0DB3 62F2 A9F4 AD31 7093 4233 7AE6

El jue, 16 de mar de 2000, a las 01:12:59 -0800, L. Sassaman dijo:
>
> I'll concede that it is useful for encrypting MIME emails. But what is the
> point in usung PGP/MIME when you are sending non-MIME email?

I'm not all that sure about this, but I believe a PGP/MIME sig will
apply not only to the message body but also to the headers.


--
Horacio Anno MMDCCLIII aUC
homega@ciberia.es Valencia - ESPAÑA
--------------------------------------------------------------------
Key fingerprint = F4EE AE5E 2F01 0DB3 62F2 A9F4 AD31 7093 4233 7AE6

On Fri, 17 Mar 2000 00:52:22 +0100, Horacio MG writes:
>I'm not all that sure about this, but I believe a PGP/MIME sig will
>apply not only to the message body but also to the headers.

it applies to all the headers you put into the encapsulated mime entity,
not to the headers the outermost frame (an rfc822 compliant message), because
the headers of this entity do change in transit.

however, putting headers like subject, from, to and the like into mime-
subparts fools many mailreaders even more than pgp-mime does...

regards
az


--
++ Dipl.-Ing. Alexander Zangerl Xsoft GmbH. ++
++ a.zangerl@xsoft.at http://www.xsoft.at/ ++
++ phone +43 1 7963636 - 28 fax +43 1 7963636 - 18 ++

"L. Sassaman" <rabbi@quickie.net> writes:

> Also, you bring up another point: If I want to forward a message sent to
> me signed by someone, with the sign intact, I can do that with traditional
> PGP signing. I don't see how one could do that with PGP/MIME.

If you're MUA doesn't support it, that's a problem of the
implementation (I think it'll be painful to implement this on Gnus
5.8, for example). The protocol was designed in a way which makes
forwarding possible.

--
Florian Weimer Florian.Weimer@RUS.Uni-Stuttgart.DE
University of Stuttgart http://cert.uni-stuttgart.de/
RUS-CERT +49-711-685-5973/fax +49-711-685-5898
http://ca.uni-stuttgart.de:11371/pks/lookup?op=get&search=0xC06EC3B5

"L. Sassaman" <rabbi@quickie.net> writes:

> I'll concede that it is useful for encrypting MIME emails. But what is the
> point in usung PGP/MIME when you are sending non-MIME email?

The majority of the messages I send requires MIME.

From a US point of view, restricting yourself to ASCII is feasible,
but most of the rest of the world certainly has different
requirements. Even ASCII messages are sometimes mangled by MDAs,
that's why I prefer MIME-PGP to cleartext signatures for all messages.

--
Florian Weimer Florian.Weimer@RUS.Uni-Stuttgart.DE
University of Stuttgart http://cert.uni-stuttgart.de/
RUS-CERT +49-711-685-5973/fax +49-711-685-5898
http://ca.uni-stuttgart.de:11371/pks/lookup?op=get&search=0xC06EC3B5