Mailing List Archive

erikg@nbnet.nb.ca writes:

> I was wondering... I'm currently using GNUPG 1.0. When I encrypt something, someone that has my public key but let's say is running PGP whatever version, they *can* decrypt my messages right? Also another question... What's the use of signing a file/message ? Also I don't really understand the trust thign.. I typed gpg --edit-key Acid-Duck (that's myself) I can set the trust on that key ok.. I know what trust is. But once I set the trust level on that key, what diffrence will it make exactly? Sorry for all the questions, I'm sometimes slow to understand stuff like that :P Also I'm very sorry if I'm sending this e-mail at the wrong place but this seemed to be the right place. Thank u for your attention to my inquery in advance.

Please read the HOWTO document which is online available
under the documentation section of www.gnupg.org.



--
Werner Koch at guug.de www.gnupg.org keyid 621CC013

[. Sorry for answering a FAQ, but I'd like to know how well I really know
this stuff ;-) ]

On Wed, 24 Nov 1999 19:30:42 -0800 (PST), Todd A. Jacobs <nospam@codegnome.org> wrote:
>On Sun, 21 Nov 1999 erikg@nbnet.nb.ca wrote:
>
>> something, someone that has my public key but let's say is running PGP
>> whatever version, they *can* decrypt my messages right?
>
>Only the owner of the secret key can decrypt a message once it has been
>encoded for that key. In short, the answer is "no."

But perhaps erikg meant to ask a different question:

If someone is running PGP whatever version, and you send them an encrypted
message with their public key, can they decrypt it?

If you can get an implementation of RSA and IDEA from somewhere and
load it into GnuPG as an extension, theoretically you can do this.
Supposedly, you can send a PGP message to someone with a PGP version
2.x public key like this:

gpg --load-extension idea --load-extension rsa --rfc1991 \
--digest-algo md5 --cipher-algo idea \
--encrypt --recipient <user ID> message-file.txt

However, I just tested this with PGP 2.6.3a, and it didn't work. I
created a new user account (so there's no user-specific configuration
lying around), generated a passphrase-less PGP key, exported the public
key from PGP, imported it into GPG, then tried to generate an encrypted
message with GPG and decrypt it with PGP. Everything went well except
for decrypting it:

$ pgp -d test
Pretty Good Privacy(tm) 2.6.3a - Public-key encryption for the masses.
(c) 1990-96 Philip Zimmermann, Phil's Pretty Good Software. 1996-03-04
Uses the RSAREF(tm) Toolkit, which is copyright RSA Data Security, Inc.
Distributed by the Massachusetts Institute of Technology.
Export of this software may be restricted by the U.S. government.
Current time: 1999/11/25 16:07 GMT

File is encrypted. Secret key is required to read it.
Key for user ID: John Q. Smith <12345.6789@compuserve.com>
1024-bit key, key ID C47E0345, created 1999/11/25

Advisory warning: This RSA secret key is not protected by a passphrase.
Just a moment....
Error: Decrypted plaintext is corrupted.
.
For a usage summary, type: pgp -h
For more detailed help, consult the PGP User's Guide.

If someone wants to look at this, secret keys and all (I generated the
secret keys only for the purpose of this test--normally I don't use PGP
at all), let me know.

>> really understand the trust thign.. I typed gpg --edit-key Acid-Duck
>
>You assign trust based on how much you trust the owner of the key to
>authenticate other keys.

Trust is a measure of whether or not you believe that the key belongs
to a particular person. Mallory could generate a key with "Acid-Duck"
and an email address in the user ID (not the same key data as the one you
generated, but key data with the same name attached), and give it to Bob.
If Bob encrypts a message with that key, Mallory (and only Mallory)
can read it. Mallory might pass the message along to you with your
public key, and Mallory might even pull the same trick on you so that
when you send mail to Bob, Mallory can read it. As long as you and Bob
never verify each other's keys, you'll never know that Mallory reads
all your mail.

If you trust Alice, you can tell gpg that you want gpg to trust Alice's
key (by signing it with your key), as well as any key signed by Alice.
If Alice also signs Bob's real key, then you can tell the difference
between Bob's real key, and the fake key with the same user ID generated
by Mallory.

AFAICT, this doesn't change very much of GPG's behavior...it will still
verify signatures and return 0 exit status, even for untrusted keys.
However, GPG will give you warning messages, and it will prompt you if
you attempt to send a message to an untrusted key. For people writing
wrappers around GPG (e.g. mail programs and GUIs), GPG will also output
information on --status-fd about the GPG computed trust value.

--
I don't speak for Corel. zygob@corel.ca at work, zblaxell@furryterror.org
at play. GPG-encrypted email preferred at zblaxell@feedme.hungrycats.org
GPG @ Home fingerprint: 2B32 546D 21A5 0DB2 20C8 AF10 1D4A 610E 6972 2DEE
GPG @ Work fingerprint: CC25 D214 1B4B 2767 51B9 51E5 58DD 13B9 875B C08E

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On Sun, 21 Nov 1999 erikg@nbnet.nb.ca wrote:
> Also another question... What's the use of signing a file/message ?
>
> Also I don't
> really understand the trust thign.. I typed gpg --edit-key Acid-Duck
> (that's myself) I can set the trust on that key ok.. I know what
> trust is. But once I set the trust level on that key, what diffrence
> will it make exactly?

These two questions are addressed in detail in the user manual
available at www.gnupg.org.

> I was wondering... I'm currently using GNUPG 1.0. When I encrypt
> something, someone that has my public key but let's say is running PGP
> whatever version, they *can* decrypt my messages right?

This is addressed in the PGP/GnuPG interoperability document also
available at www.gnupg.org.

Mike

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.0 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAjg95G0ACgkQBwMqlokEyOKG2ACgif5NEyCIPq1UMbuOk3mzAehZ
TDIAoLxaAl3MZbBZNZrLYqrTv/KpG5pq
=7YQ0
-----END PGP SIGNATURE-----