gpg --list-sigs (root for other users)

Albert gnupg at ml0402.albert.uni.cc
Tue Mar 9 15:14:59 CET 2004 

Am Sonntag, 7. März 2004 09:14 schrieb Neil Williams:

> > For backups of a few people who don't care about security. It
> > is not
>
> ?? If they don't care about security, why are they using a
> security product ??

Good question. But it is not my problem. There is nobody who has 
access to my secret keys.

> I'd never sign a key where the owner is so casual about security.
> How can I trust the signature - it could be you or it could be
> the user. How can I encrypt to the key if the secret key is
> accessible to you and the owner?

I think this is a general problem. Whose keys one can sign, is very 
difficult to decide IMO.

Of course people won't tell you, that there is an admin who has 
access to their secret-keys and I believe there are a lot of people 
who don't know that the admin has access to the secret keys. What 
do you think are people doing in networks, where they are users 
only and not admins? I don't believe that they do not save the 
secret keys on the harddisk in their personal directory. Since I am 
the only person who has root-rights on the machine, where my secret 
keys are stored, I never thought about it, but what can people in 
companys do to keep their sec-keys secret? I am talking of reality 
and not what one can do in theory. A lot of people are so lazy and 
they don't care about passwords. Maybe it is an idea, that they 
don't sign, but do encryptions only.

Yesterday a friend told me, that there will a service be setup to 
increase the use of e-government, where a telecommunication company 
stores the secret keys and does the encryption for you, if you 
enter a 4digit code in a webform, which you receive on your mobile 
phone by request. This decision was made, because a lot of people 
have no idea, how to sign or encrypt a message, have card reader, 
a.s.o. I hope this system will not be accepted.

BTW do you know how many persons have registered a key?
http://pyxis.cns.ualberta.ca/cgi-bin/sksnet report about 2000000 
keys.  That seems to be nothing compared to the amount of internet 
users.

> This one-liner produces a list of keyids in one public keyring:
> gpg --list-keys --with-colons | grep "pub:-:" | cut -d: -f5

> This way, you can still sign in a public environment without
> compromising your secret key but ONLY because your secret key
> never gets stored on the public machine.
> http://www.gnupg.org/gph/en/manual.html#AEN513

Are you sure?

Generally other people are not interested in stealing your secret 
key, but let's assume again, the owner of an internet cafe is 
interested in your secret key.

Doesn't have the admin/root access to all data used on a machine? 
Let's say the key is used from a floppy or an usb-stick. In a linux 
environment you have to mount the floppy / usb-stick and then the 
keys are readable to root. I think of a simple shell script that 
checks if the media is mounted and if, the content ist copied.

IMO it ends everytime in the question "can I trust them", if it is 
not my own machine.

> secring.gpg file in your hands, a simple dictionary attack could
> undo many passphrases on the assumption that those who care this
> little for secret key security aren't going to have chosen a
> decent passphrase either.)

This assumption I hope is wrong. I don't know if they ignored what I 
told them, but I think they have a valuable password.

BTW, I am searching for a linux-programm who tries to decrypt a 
gpg-file by brute-force attack to show people how important it is 
to have a good password. I would like to show them, how long it 
takes to find a password of 1, 2, 3 a.s.o letters or a simple word 
like rose.

Albert

More information about the Gnupg-users mailing list