Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: GnuPG: users

RSA only enable to sign

  

 
GnuPG users RSS feed   Index | Next | Previous | View Threaded


lord.icervantes at gmail

Sep 7, 2009, 9:31 PM

Post #1 of 6 (767 views)
Permalink
RSA only enable to sign
Hi,

Can you help me with the next: why I have RSA only to sign¿? Im from Mexico
and the link http://rechten.uvt.nl/koops/cryptolaw/cls2.htm#me say that in
my country there are no restrictions.

ian [at] ian-lapto:~$ gpg --gen-key
gpg (GnuPG) 1.4.9; Copyright (C) 2008 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Por favor seleccione tipo de clave deseado:
(1) DSA y ElGamal (por defecto)
(2) DSA (sólo firmar)
(5) RSA (sólo firmar)
¿Su elección?:


Thanks.

--
Iván Cervantes


rjh at sixdemonbag

Sep 7, 2009, 11:04 PM

Post #2 of 6 (714 views)
Permalink
Re: RSA only enable to sign [In reply to]
There are some Spanish-speakers on this list who might be able to give
you a Spanish answer. If you don't mind an English answer, I'll try to
answer it.

> Can you help me with the next: why I have RSA only to sign¿?

You need to add an RSA encryption subkey. Go ahead and create a
sign-only RSA key. Then:

gpg --edit-key [my key ID] addkey

At the prompt, choose "(6) RSA (encrypt only)". It may be numbered
differently on your machine.

Go through the rest of the steps and you will have add an RSA encryption
subkey. Send the updated key on to the keyserver network and your
friends can now use that encryption subkey to encrypt data meant for you.


_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users


lord.icervantes at gmail

Sep 7, 2009, 11:38 PM

Post #3 of 6 (705 views)
Permalink
Re: RSA only enable to sign [In reply to]
Hi Robert,

thanks for the answer, I did that one week ago, and works fine but i need
the private key to generate the subkey. But its true that you say, we can
enable a subkey of RSA to encrypt.

Changing a little my question, why I have only three options in my gpg
installation¿?

The reason is that I develop a system that import a public key (In theory
any algorithm in gpg) and then my system encrypt a file with that public
key. Thats an automatic process and I can request the private key to my
users because that broke my security protocol.

thanks.

2009/9/8 Robert J. Hansen <rjh [at] sixdemonbag>

> There are some Spanish-speakers on this list who might be able to give
> you a Spanish answer. If you don't mind an English answer, I'll try to
> answer it.
>
> > Can you help me with the next: why I have RSA only to sign¿?
>
> You need to add an RSA encryption subkey. Go ahead and create a
> sign-only RSA key. Then:
>
> gpg --edit-key [my key ID] addkey
>
> At the prompt, choose "(6) RSA (encrypt only)". It may be numbered
> differently on your machine.
>
> Go through the rest of the steps and you will have add an RSA encryption
> subkey. Send the updated key on to the keyserver network and your
> friends can now use that encryption subkey to encrypt data meant for you.
>
>


--
Iván Cervantes


rjh at sixdemonbag

Sep 7, 2009, 11:50 PM

Post #4 of 6 (716 views)
Permalink
Re: RSA only enable to sign [In reply to]
Iván Cervantes wrote:
> Changing a little my question, why I have only three options in my gpg
> installation¿?

A GnuPG "key" isn't just one piece of data. It's a whole lot of pieces
of data.

All GnuPG keys -- what we should really call "certificates" -- have a
signing key. That's the most basic, fundamental thing in the
certificate. If you want to be able to encrypt, you have to add an
encryption subkey.

Up until GnuPG 1.4.10, GnuPG would create a DSA signing key and an
ElGamal encryption key for you as one single operation. You executed
"--gen-key", and GnuPG created the signing key, added the encryption
subkey, and you were done.

RSA was considered to be for advanced users. Advanced users were
believed to be capable of generating their signing key, and then adding
their own encryption key later.


_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users


faramir.cl at gmail

Sep 8, 2009, 12:33 PM

Post #5 of 6 (701 views)
Permalink
Re: RSA only enable to sign [In reply to]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Iván Cervantes escribió:
...
> Changing a little my question, why I have only three options in my gpg
> installation¿?

I'll reply in English so other people can correct me if I am wrong.
I think unless you activate the expert options, you get a reduced set
of options. I added the line "expert" to my gpg.conf file, and I get the
following options when I generate keys:

Por favor seleccione tipo de clave deseado:
(1) DSA y ElGamal (por defecto)
(2) DSA (sólo firmar)
(3) DSA (permite elegir capacidades)
(5) RSA (sólo firmar)
(7) RSA (permite elegir capacidades)
Su elección:

And the following options when adding a subkey.

Por favor seleccione tipo de clave deseado:
(2) DSA (sólo firmar)
(3) DSA (permite elegir capacidades)
(4) ElGamal (sólo cifrar)
(5) RSA (sólo firmar)
(6) RSA (sólo cifrar)
(7) RSA (permite elegir capacidades)

The options you miss when generating a new key are the options where
you can chose the capabilities the key will have, and since a mistake
there can create a useless (for your purposes) key, they are available
only to experts (or to call them other way, to not-newbies).

Best Regards
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBCAAGBQJKprFtAAoJEMV4f6PvczxAejAH/jkUTEkEAuVZqPOAxWMqkwd/
Mv7hLhBsCGmj6m7MXzVoSfbwsdgtND/AlA4II0xfGLIOcO07Wj/ojVMfoH8xEdTL
FMoky+N0bzFqOhA15xcs+nY03108mfbq9knqxIaN+68iG+VVsn/AraTYYupkTRxu
oCL041Z6SvXyJqDMjNE7GBHh/OrZb4PHil1WJcTrI1a+vBigqW7Ym5vMTB1840is
uBJWlV3XS+Ni9/vmFXeTnqhvIAYS4KSXjig1P5iBkmtn53F78YM80uEKW4XPcNk6
rBYsbzZIGPvuLerHx4TS5zbT8ORBMSBfmG2jnQj63Iw56xdl2Rts+tuGKL73fJU=
=aU6J
-----END PGP SIGNATURE-----

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users


dshaw at jabberwocky

Sep 8, 2009, 4:32 PM

Post #6 of 6 (702 views)
Permalink
Re: RSA only enable to sign [In reply to]
On Sep 8, 2009, at 3:33 PM, Faramir wrote:

> Iván Cervantes escribió:
> ...
>> Changing a little my question, why I have only three options in my
>> gpg
>> installation¿?
>
> I'll reply in English so other people can correct me if I am wrong.
> I think unless you activate the expert options, you get a reduced
> set
> of options. I added the line "expert" to my gpg.conf file, and I get
> the
> following options when I generate keys:

[...]

> The options you miss when generating a new key are the options where
> you can chose the capabilities the key will have, and since a mistake
> there can create a useless (for your purposes) key, they are available
> only to experts (or to call them other way, to not-newbies).

Just right. As a general rule, people should never need --expert to
do regular OpenPGP-ish things (make keys, encrypt stuff, etc).

David


_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

GnuPG users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.