A last word on --passphrase-fd

[Alan Shutko]

Chuck Robey <chuckr@picnic.mat.net> writes:

> Uhh.  I'm not the crypto-whiz you are.  I understand (I think) the DVD
> story.  Can you tell me why needing crypto signatures on output of a cron
> job equates to the DVD story?  No sarcasm here, I really don't know.

You don't quite have the equivalence.  It's not needing crypto
signatures on cron output.  It's storing a decryption key where people
can get at it.

You want to have gpg sign things automatically, without any
interaction, right?  To do this, you think that you need to have a key
protected by a passphrase, and that somehow (say, by getting it from a
file), your cron job will give the passphrase to gpg.  Werner's saying
that's absolutely no more protection than having a key without a
passphrase.

What's protecting the file you keep your password in from being
viewed?  Probably, unix file permissions, difficulty in logging into
the machine, etc.  What's protecting a key without a passphrase from
being stolen?  Exactly the same thing.  So you aren't losing any
security by just getting rid of the passphrase.

A passphrase normally provides protection for a key because if you get
the key, you don't get the passphrase.  It's in someone's head
somewhere.  If someone breaks into my computer and gets my secret
keyring, they can't use it because they'd have to come to my cube and
rough me up a bit.  But if the passphrase is stored on the same
machine as the key, there's nothing stopping them.

The analogy to DVDs is that they have a Content Scrambling System (or
whatever it's called)... but the key is stored on the DVD itself.
That's why it's been broken.

-- 
Alan Shutko <ats@acm.org> - In a variety of flavors!
Old golfers never die, they just loose their BALLS