Perl, GPG, and --passphrase-fd
Anthony E . Greene
Sat Jun 9 22:52:01 2001
On Sat, 09 Jun 2001 16:21:28 Christopher Maujean wrote:
>1. Having a passphrase hard coded, or having no passphrase at all means,=
>IMHO, that the origin of the message is untrusted, and unverifiable I=20
>can't trust that the signing key wasn't stolen and is being used by my=20
>arch-nemisis to impersonate my friend or business associate.
This is exactly why having an application on an untrusted machine sign
encrypted messages is a waste of time. If you want to trust the data the app
produces, you just have to safeguard the machine. A GPG sig doesn't add any
value unless you trust the machine that produced it.
Anthony E. Greene <firstname.lastname@example.org> <http://www.pobox.com/~agreene/>
PGP Key: 0x6C94239D/7B3D BD7D 7D91 1B44 BA26 C484 A42A 60DD 6C94 239D
Chat: AOL/Yahoo: TonyG05 MSN: te_greene
Linux. The choice of a GNU Generation. <http://www.linux.org/>