I hav a 356784 byte file called store.p7b.
It's the root certificates that come with XP (and one of their 
updates).
I just went into explorer/Tools/Internet 
Options/Content/certificates/trusted root certification authorities, 
then shift-clicked on the first one, shift-clicked on the last one, 
then went through the export process.

Anybody know how to import it into GPG or PGP?

It would be nice to know if anybody ever negotiated the politics, or 
fees, or schmoozing, or whatever put some cross-links and uplinks into 
the old "web of trust" that works so well, mostly because there are 
not very many people trying to write into channels that are ultimately 
burned on disk. 

On Sun, 20 Mar 2011 20:02:37 -0400, JWL <brewhaha@freenet.edmonton.ab.ca> wrote:

> I hav a 356784 byte file called store.p7b.
> Anybody know how to import it into GPG or PGP?

The certificates used for ssl encryption are not in a format
suitable for used with gpg/pgp.  For those type of certificates
the appropriate tool is called OpenSSL.  You can get a windows
version from
http://www.openssl.org/related/binaries.html

Regards, Dave Hodgins

-- 
Change nomail.afraid.org to ody.ca to reply by email.
(nomail.afraid.org has been set up specifically for
use in usenet. Feel free to use it yourself.)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

David W. Hodgins wrote:
> On Sun, 20 Mar 2011 20:02:37 -0400, JWL
> <brewhaha@freenet.edmonton.ab.ca> wrote:
>> I hav a 356784 byte file called store.p7b.
>> Anybody know how to import it into GPG or PGP?
>
> The certificates used for ssl encryption are not in a format
> suitable for used with gpg/pgp.  For those type of certificates
> the appropriate tool is called OpenSSL.  You can get a windows
> version from
> http://www.openssl.org/related/binaries.html
>
> Regards, Dave Hodgins

I am led to believe that PGP can import pem.
http://www.minstrel.org.uk/wot-faq/q1.html

I tried openssl to get a pem and got this:
C:\PROGRA~1\OpenSSL-Win32\bin>openssl pkcs7 -in store.p7b
- -print_certs -out store.pem
unable to load PKCS7 object
2784:error:0906D06C:PEM routines:PEM_read_bio:no
start line:.\crypto\pem\pem_lib.c:696:Expecting: PKCS7
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (MingW32)

iQCVAwUBTYf0gB47apzXdID2AQKd9wQAij8KviPGVM2R9sshVvtuV415gX4c8Y3m
JOntU3lRzZkBwfC1SyuKB1NqITig7mpdCvf2qQfbn8kFNP0Vz/0N+HOqULKDBG4h
Eu993dPteoRgWdpnNQxsFNA60QY9w4bBnwRxBhRpkguTHD80e3nV5MEW0Vf8HdcI
rFaAPbHONMg=
=S82i
-----END PGP SIGNATURE-----
http://ecn.ab.ca/~brewhaha/gpg/Keyprint_Biometric_Litwyn_Jay.mp3.pgp 

On Mon, 21 Mar 2011 21:04:08 -0400, JWL <brewhaha@freenet.edmonton.ab.ca> wrote:

> I am led to believe that PGP can import pem.
> http://www.minstrel.org.uk/wot-faq/q1.html

Read the site again.  PGP has the ability to generate a
certificate request (a feature added since I switched to
linux).

That request is then sent to Thawte, who convert it into
a signed gpg key, and only for rsa pgp keys.

Regards, Dave Hodgins

-- 
Change nomail.afraid.org to ody.ca to reply by email.
(nomail.afraid.org has been set up specifically for
use in usenet. Feel free to use it yourself.)

On Thu, 24 Mar 2011 01:57:52 -0400, JWL <brewhaha@freenet.edmonton.ab.ca> wrote:

> -----BEGIN PGP MESSAGE-----
> Version: GnuPG v1.2.2 (MingW32)
> Comment:
> http://ecn.ab.ca/~brewhaha/gpg/Keyprint_Biometric_Litwyn_Jay.mp3.pgp
>
> owFlVV1oHFUUThussLhVoVVQkUMf0thOZjeh2JLYNDFN47amDd1oqPjg3Zm7MzeZ

As I posted before, in usenet articles, please use clear text
signatures.  Trying to decrypt what ever you posted using gpg
shows ...

$ gpg msg.asc
gpg: invalid armor header: http://ecn.ab.ca/~brewhaha/gpg/Keyprint_Biometric_Litwyn_Jay.mp3.pgp\n
gpg: invalid radix64 character 3A skipped
gpg: invalid radix64 character 2E skipped
gpg: invalid radix64 character 2E skipped
gpg: invalid radix64 character 7E skipped
gpg: invalid radix64 character 5F skipped
gpg: invalid radix64 character 5F skipped
gpg: invalid radix64 character 5F skipped
gpg: invalid radix64 character 2E skipped
gpg: invalid radix64 character 2E skipped
gpg: CRC error; 47A6BA - F62D55
gpg: packet(1) with unknown version 156

If you can't figure out how to clear sign your messages, please
stop trying to sign them, and just post plain text messages.

I will not bother trying to decrypt any further messages from you.

Regards, Dave Hodgins

-- 
Change nomail.afraid.org to ody.ca to reply by email.
(nomail.afraid.org has been set up specifically for
use in usenet. Feel free to use it yourself.)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

David W. Hodgins wrote:
> On Thu, 24 Mar 2011 01:57:52 -0400, JWL
> <brewhaha@freenet.edmonton.ab.ca> wrote:
>> -----BEGIN PGP MESSAGE-----
>> Version: GnuPG v1.2.2 (MingW32)
>> Comment:
>> http://ecn.ab.ca/~brewhaha/gpg/Keyprint_Biometric_Litwyn_Jay.mp3.pgp
>>
>> owFlVV1oHFUUThussLhVoVVQkUMf0thOZjeh2JLYNDFN47amDd1oqPjg3Zm7MzeZ
>
> As I posted before, in usenet articles, please use clear text
> signatures.  Trying to decrypt what ever you posted using gpg
> shows ...
>
> $ gpg msg.asc
> gpg: invalid armor header:
> http://ecn.ab.ca/~brewhaha/gpg/Keyprint_Biometric_Litwyn_Jay.mp3.pgp\n
> gpg: invalid radix64 character 3A skipped gpg: invalid radix64 
> character 2E skipped
> gpg: invalid radix64 character 2E skipped
> gpg: invalid radix64 character 7E skipped
> gpg: invalid radix64 character 5F skipped
> gpg: invalid radix64 character 5F skipped
> gpg: invalid radix64 character 5F skipped
> gpg: invalid radix64 character 2E skipped
> gpg: invalid radix64 character 2E skipped
> gpg: CRC error; 47A6BA - F62D55
> gpg: packet(1) with unknown version 156
>
> If you can't figure out how to clear sign your messages, please
> stop trying to sign them, and just post plain text messages.
>
> I will not bother trying to decrypt any further messages from you.
>
> Regards, Dave Hodgins

It was not encrypted. I went "gpg -sa", so it was signed and 
compressed.
What you are saying illustrates a bug. The _advantage_ is simply that 
my
signatures *should* survive archive treatment. As things are, I can't
verify cleartext signatures from google.

David W. Hodgins wrote:
> On Mon, 21 Mar 2011 21:04:08 -0400, JWL
> <brewhaha@freenet.edmonton.ab.ca> wrote:
>> I am led to believe that PGP can import pem.
>> http://www.minstrel.org.uk/wot-faq/q1.html
>
> Read the site again.  PGP has the ability to generate a
> certificate request (a feature added since I switched to
> linux).

You can get a certificate from PGP by using their
keyserver manually at http://keyserver2.pgp.com/,
and hitting the link it sends to your e-mail address.

It is of course a marjinal process to trust,
and it is better than nothing.

> That request is then sent to Thawte, who convert it into
> a signed gpg key, and only for rsa pgp keys.
>
> Regards, Dave Hodgins

} Thawte will return the finished certificate both as a Netscape
} Certificate chain and as a PKCS7 Certificate chain, neither of which
} PGP understands. So, some conversion is required - the easiest way
} is to split the PKCS7 chain into seperate certificates and output 
these
} in ASCII format - just save into seperate .pem files and
} import into PGP (using 'Key/Import' and selecting the .pem files).

Internet Explorer does not export the full public key; only the 
certificate.
Firefox, however, will export pem, as *.crt, complete with the public 
key.
All I had to do was rename a file to import it into PGP10. I wonder 
what
the fix for unsigned data transparency will be; leaving the
"PGP SIGNED MESSAGE" headers in?

I note that the first key I imported haz no
e-mail address on it.

BTW, this is a good way to get signatures that verify onto google 
archives.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (MingW32)
Comment: 
http://ecn.ab.ca/~brewhaha/gpg/Keyprint_Biometric_Litwyn_Jay.mp3.pgp

iQCVAwUBTYrtKx47apzXdID2AQJgIgQAgIdIqmV/rWA6oD6wh4CEXQEaWEtdAUwi
YwQI3okKYLg5CxJUgywpCr7/UwMInEM8XFoOG9nNU1pYR3MAOGA+ZY/m1cVo3mOx
LTvLRGYk1AIPJeoVVseH7NTsdTHpRdMFgHWpwLOG+e2J5Ku3CVc0Y9R9iwa38sJS
Wh4BO1MqA2U=
=9RTF
-----END PGP SIGNATURE-----

Maybe --pgp2 (MD5+IDEA+noMDC) is an archive-quality
"pgp -sa". 

If you take out the line break after
comment:
then gpg might be able to verify that message. 

David W. Hodgins wrote:
> $ gpg msg.asc
> gpg: invalid armor header:
> http://ecn.ab.ca/~brewhaha/gpg/Keyprint_Biometric_Litwyn_Jay.mp3.pgp\n
> gpg: invalid radix64 character 3A skipped gpg: invalid radix64 
> character 2E skipped
> gpg: invalid radix64 character 2E skipped

That's a double-slash.

> gpg: invalid radix64 character 7E skipped

That's a tilde.

> gpg: invalid radix64 character 5F skipped
> gpg: invalid radix64 character 5F skipped
> gpg: invalid radix64 character 5F skipped
> gpg: invalid radix64 character 2E skipped
> gpg: invalid radix64 character 2E skipped

2E is hexadecimal for a period. None of the above are within the 
base64 character set, and I suspect that gpg would accept anything but 
a line break or a carriage return after the comment header.

On Thu, 24 Mar 2011 03:52:48 -0400, JWL <brewhaha@freenet.edmonton.ab.ca> wrote:

> If you take out the line break after
> comment:
> then gpg might be able to verify that message.

Replacing the linefeed with a space does allow the message
signature to be verified.

The only problem I see with the armored messages, as well as
the archives on google seem to be caused by the Comment field
getting wrapped.

Perhaps you should use a shorter comment, especially since
http://ecn.ab.ca/~brewhaha/gpg/Keyprint_Biometric_Litwyn_Jay.mp3.pgp
returns 404 Not Found.

Regards, Dave Hodgins

-- 
Change nomail.afraid.org to ody.ca to reply by email.
(nomail.afraid.org has been set up specifically for
use in usenet. Feel free to use it yourself.)