Why trust gpg4win?

[Jan]

On 09/13/2013 14:05, NdK wrote:
>What happens if one of your correspondents is willing to undergo the
>whole procedure and he's an FBI agent?
I'd tell him confidential information, - but I did not intent to protect
me against such a thread by means of gnuPG.

> If you want to
> certify that your security perimeter is secure, you first have to
> accurately define where it is and the threat model. And even then you
> can only certify it's secure against the attacks you could think of.

That is a good point. On this list I learned about the existence of some 
vectors I did not even think of. Thank you for that information. Is there a 
book on thread models which list widely known attack vectors?

OK, so I'll try to define two thread models.

The setup:
Assume there is a windows PC connected to the internet (online PC) and an 
USB device with debian on it where the network drives are uninstalled 
(offline PC). The USB device is only plugged into the machine, if windows is 
not running. The windows PC has a FAT partition. Encrypted emails/files 
downloaded with windows are stored there. After reboot the FAT partition is 
mounted with debian and the emails/files are decrypted. The reverse 
procedure (answer to the email) runs analogously. Only simple file formats 
are accepted.

Thread models:
1. There might be a Trojan on the windows machine.

2. There might be a Trojan on the windows machine and someone might steel 
the USB device from my apartment.

I don't care about hardware key loggers, TEMPEST, cold boot attacks or 
cameras installed in my apartment. In the second thread model the USB device 
would have an encrypted root partition. Another scenario is that instead of 
the USB device there is a real offline PC and file transfer between the two 
machines happens only via CD-RW or multisession CD-R.

Kind regards,
Jan