confirmation for --export-secret-key
Sun, 19 Nov 2000 22:53:11 +0100
Content-Type: text/plain; charset=us-ascii
Hello. Yes, it's me again.
Why doesn't GnuPG ask for confirmation, when it is told to export the
AFAIK, the weakest link in this whole public-key-cryptography is the
encrypted secret-key and its passphrase. That's why some people carry
their secret key on a floppy with them all the time.
Wouldn't it be an easy attack to just change the (e.g.)
pgp_export_command setting in the mutt config (or any other program with
automated gpg handling) of the victim from '--export' to
'--export-secret-keys' and ask the victim to mail his key to the
attacker (e.g. with the 'mail-key' function of mutt)?
There is no warning or anything else. While the attacker can start to
guess the passphrase, the victim doesn't even know it and can't revoke
the key or anything else.
PGP (GnuPG) encrypted mail welcome! (Key 0xBAC8E4D5)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org
-----END PGP SIGNATURE-----
Archive is at http://lists.gnupg.org - Unsubscribe by sending mail
with a subject of "unsubscribe" to firstname.lastname@example.org