DO's and DON'Ts about using gpg on the internet?

Dominik Schwald dominik_ml@nextbyte.de
Thu Jan 24 18:31:02 2002


Hi,

Am Donnerstag, 24. Januar 2002 18:55 schrieb David:
> Q1. How secure is the setuid when run through a cgi script. I suppose
> this is os and version number dependent.  Comments on this is
> appreciated.

AFAIK thats quite secure since gpg drops root-priveleges immediately 
after the allocation of 'secure' memory.

> Q2. The public key ring is best owned by root. Is this true?

Hmm.. I don't think that's important, cause its a *PUBLIC* Keyring.

> Q3. Where should the userid for the public key be stored and who
> should own it. ie should it be in a data file owned by root, an
> intermediate user with no telnet/ssh/ftp access or just in the cgi
> program owned by user.

Do you only want to encrypt or do you want to encrypt&sign data?

Bye, dominik