verifying a file

Werner Koch wk@gnupg.org
Thu Nov 22 12:47:01 2001


On Thu, 22 Nov 2001 18:45:25 +0800, Kent Tong said:

> I notice that when I verify a detached signature, gpg will not
> check the integrity of my public keyrings (because it doesn't
> ask for my passphrase). My question is, what if someone puts some 

This is pointless.  If someone is able to modify your keyring he can
do all kind of stuff - including sniffing your passphrase and
trojaning your binaries. 

The first thing an attacker will do is to grab your secring.gpg and
mount a dictionary attack on it - If you want to type your passphrase
quite often, it won't be strong and a dictionary attack will be
successful.

Ciao,

  Werner