Mailing List Archive

Put http://pgp.mit.edu into your webbrowser, and from there you can search
by email to recieve Hex ID's.

--
Marius Strom <marius@alpha1.net>
Professional Geek/Unix System Administrator
Alpha1 Internet <http://www.alpha1.net>
http://www.marius.org/marius.pgp 0x42C74CBA

In theory, there is no difference between theory and practice...
...In practice, there is a big difference.

On Fri, 24 Mar 2000, Jason Helfman wrote:

> I have been speaking back and forth with some users of gpg and am
> having some problems seeing any posts for my reqests to the group....
>
> Make a long story short...
> Why is it that if I do something of this nature:
>
> gpg --keyserver certserver.pgp.com --recv-key email@whoever.com
>
> I will not receive anything. I am told through communications with
> yourself that you can only get the id of the key. How can someone have
> any idea how to retrieve a given persons key off a server if they have
> to know the id?
>
> If this is true, what is the logic behind the structure of this? If I
> am wrong, what am I doing incorrectly.
>
> I am running Redhat Linux 6.1, Kernel 2.2.13
> gnupg-rsaref-1.0-2
> gnupg-1.0.0-1
>
>
> ---
> /helfman
> "At any given moment, you may find the ticket to the circus that has
> always been in your possession."
>
> Fingerprint: 2F76 2856 776A 3E07 9F3E 452A 17D9 9B28 D75E 0A36
> GnuPG http://www.gnupg.org Get Private!
>

So this can't be done via the shell, if this is what I am seeing? I
know that you can do this with pgp6...

----- Original Message -----
From: Marius Strom <marius@alpha1.net>
Date: Friday, March 24, 2000 12:23 pm
Subject: Re: gpg --recv-key option

> Put http://pgp.mit.edu into your webbrowser, and from there you
> can search
> by email to recieve Hex ID's.
>
> --
> Marius Strom <marius@alpha1.net>
> Professional Geek/Unix System Administrator
> Alpha1 Internet <" target="l">http://www.alpha1.net>
> http://www.marius.org/marius.pgp 0x42C74CBA
>
> In theory, there is no difference between theory and practice...
> ...In practice, there is a big difference.
>
> On Fri, 24 Mar 2000, Jason Helfman wrote:
>
> > I have been speaking back and forth with some users of gpg and
> am
> > having some problems seeing any posts for my reqests to the
> group....>
> > Make a long story short...
> > Why is it that if I do something of this nature:
> >
> > gpg --keyserver certserver.pgp.com --recv-key email@whoever.com
> >
> > I will not receive anything. I am told through communications
> with
> > yourself that you can only get the id of the key. How can
> someone have
> > any idea how to retrieve a given persons key off a server if
> they have
> > to know the id?
> >
> > If this is true, what is the logic behind the structure of this?
> If I
> > am wrong, what am I doing incorrectly.
> >
> > I am running Redhat Linux 6.1, Kernel 2.2.13
> > gnupg-rsaref-1.0-2
> > gnupg-1.0.0-1
> >
> >
> > ---
> > /helfman
> > "At any given moment, you may find the ticket to the circus that
> has
> > always been in your possession."
> >
> > Fingerprint: 2F76 2856 776A 3E07 9F3E 452A 17D9 9B28 D75E 0A36
> > GnuPG http://www.gnupg.org Get Private!
> >
>
>

> So this can't be done via the shell, if this is what I am seeing? I
> know that you can do this with pgp6...

Yes, you can. To get Marius' key:

gpg --keyserver pgp.mit.edu --recv-keys 42C74CBA

Pat
--
Patrick Lawrence
Distributed Computing Analysis and Support
University of California at Davis

this is my point exactly....!!!!

you have to know the hex. And this is not a friendly search for gpg...
you should be able to search by email address, last name and hex....



----- Original Message -----
From: "Patrick J. Lawrence" <pjlawrence@ucdavis.edu>
Date: Friday, March 24, 2000 1:30 pm
Subject: Re: gpg --recv-key option

> > So this can't be done via the shell, if this is what I am
> seeing? I
> > know that you can do this with pgp6...
>
> Yes, you can. To get Marius' key:
>
> gpg --keyserver pgp.mit.edu --recv-keys 42C74CBA
>
> Pat
> --
> Patrick Lawrence
> Distributed Computing Analysis and Support
> University of California at Davis
>
---
/helfman
"At any given moment, you may find the ticket to the circus that has
always been in your possession."

Fingerprint: 2F76 2856 776A 3E07 9F3E 452A 17D9 9B28 D75E 0A36
GnuPG http://www.gnupg.org Get Private!

Argh, I've been exampled! =]

--
Marius Strom <marius@alpha1.net>
Professional Geek/Unix System Administrator
Alpha1 Internet <http://www.alpha1.net>
http://www.marius.org/marius.pgp 0x42C74CBA

In theory, there is no difference between theory and practice...
...In practice, there is a big difference.

On Fri, 24 Mar 2000, Patrick J. Lawrence wrote:

> > So this can't be done via the shell, if this is what I am seeing? I
> > know that you can do this with pgp6...
>
> Yes, you can. To get Marius' key:
>
> gpg --keyserver pgp.mit.edu --recv-keys 42C74CBA
>
> Pat
>

Searching by {email,lastname,firstname,anything but the keyid} is very
susceptible to security issues, IMHO. I think taking the extra step to
getting the KeyID is a "good thing"(tm).

--
Marius Strom <marius@alpha1.net>
Professional Geek/Unix System Administrator
Alpha1 Internet <http://www.alpha1.net>
http://www.marius.org/marius.pgp 0x42C74CBA

In theory, there is no difference between theory and practice...
...In practice, there is a big difference.

On Fri, 24 Mar 2000, Jason Helfman wrote:

> this is my point exactly....!!!!
>
> you have to know the hex. And this is not a friendly search for gpg...
> you should be able to search by email address, last name and hex....
>
>
>
> ----- Original Message -----
> From: "Patrick J. Lawrence" <pjlawrence@ucdavis.edu>
> Date: Friday, March 24, 2000 1:30 pm
> Subject: Re: gpg --recv-key option
>
> > > So this can't be done via the shell, if this is what I am
> > seeing? I
> > > know that you can do this with pgp6...
> >
> > Yes, you can. To get Marius' key:
> >
> > gpg --keyserver pgp.mit.edu --recv-keys 42C74CBA
> >
> > Pat
> > --
> > Patrick Lawrence
> > Distributed Computing Analysis and Support
> > University of California at Davis
> >
> ---
> /helfman
> "At any given moment, you may find the ticket to the circus that has
> always been in your possession."
>
> Fingerprint: 2F76 2856 776A 3E07 9F3E 452A 17D9 9B28 D75E 0A36
> GnuPG http://www.gnupg.org Get Private!
>

if it is a security issue, how is it allowed in pgp6, the certificate
servers and others....i agree with you though, having to take the extra
step is nice, however annoying as hell...

why should I have to open a web browser and search! this should be a
command line function.

----- Original Message -----
From: Marius Strom <marius@alpha1.net>
Date: Friday, March 24, 2000 4:11 pm
Subject: Re: gpg --recv-key option

> Searching by {email,lastname,firstname,anything but the keyid} is very
> susceptible to security issues, IMHO. I think taking the extra
> step to
> getting the KeyID is a "good thing"(tm).
>
> --
> Marius Strom <marius@alpha1.net>
> Professional Geek/Unix System Administrator
> Alpha1 Internet <" target="l">http://www.alpha1.net>
> http://www.marius.org/marius.pgp 0x42C74CBA
>
> In theory, there is no difference between theory and practice...
> ...In practice, there is a big difference.
>
> On Fri, 24 Mar 2000, Jason Helfman wrote:
>
> > this is my point exactly....!!!!
> >
> > you have to know the hex. And this is not a friendly search for
> gpg...
> > you should be able to search by email address, last name and hex....
> >
> >
> >
> > ----- Original Message -----
> > From: "Patrick J. Lawrence" <pjlawrence@ucdavis.edu>
> > Date: Friday, March 24, 2000 1:30 pm
> > Subject: Re: gpg --recv-key option
> >
> > > > So this can't be done via the shell, if this is what I am
> > > seeing? I
> > > > know that you can do this with pgp6...
> > >
> > > Yes, you can. To get Marius' key:
> > >
> > > gpg --keyserver pgp.mit.edu --recv-keys 42C74CBA
> > >
> > > Pat
> > > --
> > > Patrick Lawrence
> > > Distributed Computing Analysis and Support
> > > University of California at Davis
> > >
> > ---
> > /helfman
> > "At any given moment, you may find the ticket to the circus that
> has
> > always been in your possession."
> >
> > Fingerprint: 2F76 2856 776A 3E07 9F3E 452A 17D9 9B28 D75E 0A36
> > GnuPG http://www.gnupg.org Get Private!
> >
>
>

Jason,
Imagine if your name is "Bob Smith", a very common name I'm sure. gpg
--recv-key --keyserver whatever Bob Smith would download a HUGE chunk of
keys. That just wouldn't be right.

I think it is good to go the the pgp.mit.edu key search, search for your
friend Bob Smith, then snag his key by HexID.

--
Marius Strom <marius@alpha1.net>
Professional Geek/Unix System Administrator
Alpha1 Internet <http://www.alpha1.net>
http://www.marius.org/marius.pgp 0x42C74CBA

In theory, there is no difference between theory and practice...
...In practice, there is a big difference.

On Fri, 24 Mar 2000, Jason Helfman wrote:

> if it is a security issue, how is it allowed in pgp6, the certificate
> servers and others....i agree with you though, having to take the extra
> step is nice, however annoying as hell...
>
> why should I have to open a web browser and search! this should be a
> command line function.
>
> ----- Original Message -----
> From: Marius Strom <marius@alpha1.net>
> Date: Friday, March 24, 2000 4:11 pm
> Subject: Re: gpg --recv-key option
>
> > Searching by {email,lastname,firstname,anything but the keyid} is very
> > susceptible to security issues, IMHO. I think taking the extra
> > step to
> > getting the KeyID is a "good thing"(tm).
> >
> > --
> > Marius Strom <marius@alpha1.net>
> > Professional Geek/Unix System Administrator
> > Alpha1 Internet <" target="l">http://www.alpha1.net>
> > http://www.marius.org/marius.pgp 0x42C74CBA
> >
> > In theory, there is no difference between theory and practice...
> > ...In practice, there is a big difference.
> >
> > On Fri, 24 Mar 2000, Jason Helfman wrote:
> >
> > > this is my point exactly....!!!!
> > >
> > > you have to know the hex. And this is not a friendly search for
> > gpg...
> > > you should be able to search by email address, last name and hex....
> > >
> > >
> > >
> > > ----- Original Message -----
> > > From: "Patrick J. Lawrence" <pjlawrence@ucdavis.edu>
> > > Date: Friday, March 24, 2000 1:30 pm
> > > Subject: Re: gpg --recv-key option
> > >
> > > > > So this can't be done via the shell, if this is what I am
> > > > seeing? I
> > > > > know that you can do this with pgp6...
> > > >
> > > > Yes, you can. To get Marius' key:
> > > >
> > > > gpg --keyserver pgp.mit.edu --recv-keys 42C74CBA
> > > >
> > > > Pat
> > > > --
> > > > Patrick Lawrence
> > > > Distributed Computing Analysis and Support
> > > > University of California at Davis
> > > >
> > > ---
> > > /helfman
> > > "At any given moment, you may find the ticket to the circus that
> > has
> > > always been in your possession."
> > >
> > > Fingerprint: 2F76 2856 776A 3E07 9F3E 452A 17D9 9B28 D75E 0A36
> > > GnuPG http://www.gnupg.org Get Private!
> > >
> >
> >
>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Marius Strom, at 16:11 -0600 on Fri, 24 Mar 2000, wrote:

> Searching by {email,lastname,firstname,anything but the keyid} is very
> susceptible to security issues, IMHO. I think taking the extra step to
> getting the KeyID is a "good thing"(tm).

Please qualify this remark. Signatures on keys solves the issue of
downloading 'untrusted' keys.

Currently, there is a problem with some keyservers that assume that only
accept one of any short key ID, but this is an implementation issue, not a
trust one.

- --
Frank Tobin http://www.uiuc.edu/~ftobin/

"To learn what is good and what is to be valued,
those truths which cannot be shaken or changed." Myst: The Book of Atrus


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (FreeBSD)
Comment: pgpenvelope - http://pgpenvelope.sourceforge.net/

iEYEARECAAYFAjjb8zIACgkQVv/RCiYMT6OY6QCghubsd3uJMbhkcWxjKp/gEKY0
lqkAn3/H4v8zdzkwICr3CKOp04aLnNC4
=Bvw7
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Marius Strom, at 16:29 -0600 on Fri, 24 Mar 2000, wrote:

> Jason,
> Imagine if your name is "Bob Smith", a very common name I'm sure. gpg
> --recv-key --keyserver whatever Bob Smith would download a HUGE chunk of
> keys. That just wouldn't be right.

It is not wrong. GnuPG could very easily handle this. The standard
keyservers don't seem return a keyblock for non-ID searches; they return a
list of possible keys, describing their size, hexID, user ids, etc.
GnuPG would then present these user ID's to the user, and then the user
would select which hexID(s) to download. There is no need to get every
match for "Bob Smith".

> I think it is good to go the the pgp.mit.edu key search, search for your
> friend Bob Smith, then snag his key by HexID.

How does this solve the issue? How do you know which Bob Smith to choose?

- --
Frank Tobin http://www.uiuc.edu/~ftobin/

"To learn what is good and what is to be valued,
those truths which cannot be shaken or changed." Myst: The Book of Atrus


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (FreeBSD)
Comment: pgpenvelope - http://pgpenvelope.sourceforge.net/

iEYEARECAAYFAjjcAGsACgkQVv/RCiYMT6OpUQCfTF9SxnQ2Lz2dVGAPLTT3Hup8
wDwAn0LiXYB3bIbygtWJ6gqjDOA8nu2b
=bE8C
-----END PGP SIGNATURE-----

On 24 Mar, Frank Tobin wrote:

> Marius Strom, at 16:29 -0600 on Fri, 24 Mar 2000, wrote:
>
>> Jason,
>> Imagine if your name is "Bob Smith", a very common name I'm sure. gpg
>> --recv-key --keyserver whatever Bob Smith would download a HUGE chunk of
>> keys. That just wouldn't be right.
>
> It is not wrong. GnuPG could very easily handle this. The standard
> keyservers don't seem return a keyblock for non-ID searches; they return a
> list of possible keys, describing their size, hexID, user ids, etc.
> GnuPG would then present these user ID's to the user, and then the user
> would select which hexID(s) to download. There is no need to get every
> match for "Bob Smith".
>
>> I think it is good to go the the pgp.mit.edu key search, search for your
>> friend Bob Smith, then snag his key by HexID.
>
> How does this solve the issue? How do you know which Bob Smith to choose?

Seems to me that Frank has put his virtual finger on the crux of the
issue: How *do* you know which to choose? Even if GnuPG presented the
possible matches to the user, the only thing that's gained is not
hopping to the web browser.

From a practical standpoint, it seems that the easiest way to handle the
transaction is to have Bob Smith send you a signed email. When you (or
your email program) verify the signature, you will get the correct key
from the keyserver, which you can then use for future communications.

If nothing else, my keyring is being filled with keys in this manner ...

Barthel
--
ld_barthel@yahoo.com | http://geocities.com/Area51/Shire/4063
Organization: The Pennswald Group -- Linux powered!!
gpg fingerprint: 8D3F 4BFF D36B BFCC FEE5 86A0 2AAF D3DA C395 641E

Of course, America had often been discovered before Columbus,
but it had always been hushed up. - Oscar Wilde

Hello, can anybody tell me what and why these fingerprints are ?
It should be something important or useful at least since nearly
everybody who uses gpg/pgp uses it. I have searched gpg help but did not
find out what i was looking for. Thanks in advance...
Best regards Michal Hajek

* L. Sassaman (rabbi@quickie.net) [000326 06:47]:
> ....
> There's this little thing called the key fingerprint...
> ....

On 25 Mar, L. Sassaman wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Sat, 25 Mar 2000, Kevin D. Knerr, Sr. wrote:
>
>> Seems to me that Frank has put his virtual finger on the crux of the
>> issue: How *do* you know which to choose? Even if GnuPG presented the
>> possible matches to the user, the only thing that's gained is not
>> hopping to the web browser.
>
> There's this little thing called the key fingerprint...

But doesn't that become useful *after* you've retrieved the key from the
server? I thought the original question was about identifying which keys
to retrieve, not confirming the validity of the key after you've
retrieved it.

Barthel
--
ld_barthel@yahoo.com | http://geocities.com/Area51/Shire/4063
Organization: The Pennswald Group -- Linux powered!!
gpg fingerprint: 8D3F 4BFF D36B BFCC FEE5 86A0 2AAF D3DA C395 641E

A good pun is its own reword.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Kevin D. Knerr, Sr., at 17:13 -0500 on Sun, 26 Mar 2000, wrote:

> But doesn't that become useful *after* you've retrieved the key from the
> server? I thought the original question was about identifying which keys
> to retrieve, not confirming the validity of the key after you've
> retrieved it.

You should be able to search the keyserver by fingerprint. You would have
already obtained this fingerprint through another channel which would not
have been conducive to transmitting the entire key (for example,
handwritten on paper).

- --
Frank Tobin http://www.uiuc.edu/~ftobin/

"To learn what is good and what is to be valued,
those truths which cannot be shaken or changed." Myst: The Book of Atrus

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (FreeBSD)
Comment: pgpenvelope - http://pgpenvelope.sourceforge.net/

iEYEARECAAYFAjjfEO0ACgkQVv/RCiYMT6OXegCfa6HWSMQCYfjxPZrjQ2eVVA+U
RDwAnje5dKN+57P93dHEB8RFQANlkbRY
=NdDn
-----END PGP SIGNATURE-----