On Saturday 06 December 2008, Magnus Therning <magnus@therning.org> wrote about 'Re: Remote signing of large files': >Boyd Stephen Smith Jr. wrote: >> Please don't CC me on replies, unless I request one. It is against >> debian-* list policy. > >Sure, and ditto! > >> On Friday 2008 December 05 15:49, you wrote: >>> Boyd Stephen Smith Jr. wrote: >>>> So, you might try --encrypt'ing the output of --print-md. >>> >>> AFAIU it wouldn't work: >>> >>> 1. Encrypting is actually using a symmetric algorithm for the bulk of >>> the data and asymmetric crypto is only used to encrypt the symmetric >>> key. In any case I don't think I can get `--encrypt` to use the >>> private key. >> >> That's only true in active protocols with a handshake, e.g. SSL or TLS. >> The only reason active protocols do this is because symmetric ciphers >> are generally faster. >> >> For "offline" encryption, using an asymmetric keys directly works fine. >> If you encrypt something with gpg it uses the public key of the chosen >> recipient or their public subkey designated for encryption. > >Please refer to section 2.1 of RFC2440 and you'll see the GnuPG indeed >does use a "session key" for symmetric encryption which is encrypted >with the public key and sent with the message. I imagine this helps a >lot when encrypting the same message for more than one recipient. Bah, well, never read that RFC, but that works, too. It's certainly possible to encrypt using the public/private key directly, but I guess the command-line tool may not have that functionality. Reading the manpage certainly gives a different impression. Since --encrypt --symmetric is used for encrypting with a symmetric key, I would expect --encrypt by itself to be *not* using a symmetric key. >Sure, i can always resort to modify gpg or write a custom tool that >combines crypto primitives in a way that solves the problem I have. In >this case that's not an option though, due to other requirements >(backwards compatibility, etc) requires that I use only a standard, >non-modified GnuPG. In any case, while what you want is definitely possible, your constraint that a particular, unmodified version of a particular tool be used severly limits you. I doubt what you want can be done simply with the gpg tool. -- Boyd Stephen Smith Jr. ,= ,-_-. =. bss03@volumehost.net ((_/)o o(\_)) ICQ: 514984 YM/AIM: DaTwinkDaddy `-'(. .)`-' http://iguanasuicide.org/ \_/
Attachment:
signature.asc
Description: This is a digitally signed message part.