-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Sunday 10 Nov 2002 10:19 am, Sameer D. Sahasrabuddhe wrote:
On Sun, Nov 10, 2002 at 08:59:17AM +0530, Amish K. Munshi wrote:
I just noticed that the digitally signed messages from my Kmail (1.4.3) is not recognised as a valid signature. Same is the case for vice-versa. Isnt there any standard for digital signatures, and how to organizations work with different mail clients (that is if they do work with different mail clients) when their digital signatures do not work.
I don't think that it is a client problem ... are you talking about GPG signatures? I notice you have a very fresh key which has not been signed by anyone ...
I had this problem between Kmail and evolution. I was just learning about the digital signatures and thought of working on this, just as an experiment setup created two users Amish and Prasad.
Amish and prasad created keys (Private and public) using gpg --gen-key
Then I do "gpg --export --armor amish@munshi.dyndns.org > /tmp/gpg_amish.txt" (as Amish)
and "gpg --export --armor prasad@munshi.dyndns.org > /tmp/gpg_prasad./txt" (As prasad)
Then as Amish I do "gpg --import < /tmp/gpg_prasad.txt"
and as Prasad "gpg --import < /tmp/gpg_amish.txt"
Now I start Kmail (v1.4.3) as Amish and evolution (v1.0.7) as Prasad. Amish sends a mail with digital signature but prasad does can not authenticate the mail. After thinking on what is wrong with this for more than 2 hours, I finally (just a co-incidence) started Kmail as Amish (which was already on) and Kmail as prasad, then the recognition happens instantaneously. So Kmail and evolution are not compactible when they send digitally signed messages.
Since you told that mutt recognised my signature (apart from that owners trust) so Kmail is compactible wth mutt but not with evolution.
Also I did not upload my present key since I have already uploaded two keys and do not know how to modify them, but just ended up creating dead keys on the server, and I dont think that there is any way that I can delete those keys from the servers. So, only after I have understood everything of signatures then only will I upload them to the servers.
I want a little more infor about this revokation certificate, if I format and reinstall my OS then can I use this revocation certificate to get my private and public keys again? if not then how do I make sure that I can use the same private and public keys even when i format the PC.
bash-2.05b$ gpg --fingerprint amish@munshi.dyndns.org gpg: WARNING: using insecure memory! gpg: please see http://www.gnupg.org/faq.html for more information pub 1024D/59D76813 2002-11-01 Amish K. Munshi amish@munshi.dyndns.org Key fingerprint = F3BD 07E2 E80E 3CB2 A504 7CE3 E9AA 6A84 59D7 6813 sub 1024g/3B7C9CF4 2002-11-01
This is the fingerprint I need to get right?
Thanks for the help.
Please post the error message you get about "invalid signature".
Visit http://munshi.dyndns.org/~amish/sign.txt to obtain a Public key of my digital signatute.
Slight confusion of terms here ... your public key is part of a pair - public and private. And the signature is message specific, created using your private key, which can be verified by anyone who has your public key.
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.0 (GNU/Linux)
iD8DBQE9zdKO6apqhFnXaBMRAiupAKCR8Dsa6NIin8IE93CrsVhc1M0x/ACdGlbE T9zJjC3AS0d2VgxCIF/4uao= =wMwX -----END PGP SIGNATURE-----
Here's what mutt using gpg has to say about your signature:
[-- PGP output follows (current time: Sun Nov 10 09:59:42 2002) --] gpg: Signature made Sun Nov 10 08:59:18 2002 IST using DSA key ID 59D76813 gpg: Good signature from "Amish K. Munshi amish@munshi.dyndns.org" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: F3BD 07E2 E80E 3CB2 A504 7CE3 E9AA 6A84 59D7 6813
This is after I downloaded your public key from the URL you mentioned ... but my key database says that your public key is not "signed" by anyone I trust. So there's no way for gpg running on my machine to know whether this key really belongs to you. So everytime you get a signed message from someone, ensure you have their public key with you.
To tackle this, get your gpg-key fingerprint when you come to the meet. Write it down on a piece of paper, and be sure to bring valid identification documents with you, like license or college I-Card or passport.
man gpg gpg --fingerprint
BTW, I just noticed you have three keys registered on the public key servers, while the one you advertise currently isn't listed anywhere ... I don't think that's a very good idea. If you intend to stick to one of them, remember to revoke the others.
Sameer.
- -- Visit http://munshi.dyndns.org/~amish/sign.txt to obtain a Public key of my digital signatute. Please verify always that the mail originates from me before reading the contents of the mail using any opensource encryption software such as gnupg or openpgp.
Get in touch with me at ICQ 85730949