DO's and DON'Ts about using gpg on the internet?
Dominik Schwald
dominik_ml@nextbyte.de
Thu Jan 24 18:31:02 2002
Hi,
Am Donnerstag, 24. Januar 2002 18:55 schrieb David:
> Q1. How secure is the setuid when run through a cgi script. I suppose
> this is os and version number dependent. Comments on this is
> appreciated.
AFAIK thats quite secure since gpg drops root-priveleges immediately
after the allocation of 'secure' memory.
> Q2. The public key ring is best owned by root. Is this true?
Hmm.. I don't think that's important, cause its a *PUBLIC* Keyring.
> Q3. Where should the userid for the public key be stored and who
> should own it. ie should it be in a data file owned by root, an
> intermediate user with no telnet/ssh/ftp access or just in the cgi
> program owned by user.
Do you only want to encrypt or do you want to encrypt&sign data?
Bye, dominik