gpg --list-sigs (root for other users)
gnupg at ml0402.albert.uni.cc
Tue Mar 9 15:14:59 CET 2004
Am Sonntag, 7. März 2004 09:14 schrieb Neil Williams:
> > For backups of a few people who don't care about security. It
> > is not
> ?? If they don't care about security, why are they using a
> security product ??
Good question. But it is not my problem. There is nobody who has
access to my secret keys.
> I'd never sign a key where the owner is so casual about security.
> How can I trust the signature - it could be you or it could be
> the user. How can I encrypt to the key if the secret key is
> accessible to you and the owner?
I think this is a general problem. Whose keys one can sign, is very
difficult to decide IMO.
Of course people won't tell you, that there is an admin who has
access to their secret-keys and I believe there are a lot of people
who don't know that the admin has access to the secret keys. What
do you think are people doing in networks, where they are users
only and not admins? I don't believe that they do not save the
secret keys on the harddisk in their personal directory. Since I am
the only person who has root-rights on the machine, where my secret
keys are stored, I never thought about it, but what can people in
companys do to keep their sec-keys secret? I am talking of reality
and not what one can do in theory. A lot of people are so lazy and
they don't care about passwords. Maybe it is an idea, that they
don't sign, but do encryptions only.
Yesterday a friend told me, that there will a service be setup to
increase the use of e-government, where a telecommunication company
stores the secret keys and does the encryption for you, if you
enter a 4digit code in a webform, which you receive on your mobile
phone by request. This decision was made, because a lot of people
have no idea, how to sign or encrypt a message, have card reader,
a.s.o. I hope this system will not be accepted.
BTW do you know how many persons have registered a key?
http://pyxis.cns.ualberta.ca/cgi-bin/sksnet report about 2000000
keys. That seems to be nothing compared to the amount of internet
> This one-liner produces a list of keyids in one public keyring:
> gpg --list-keys --with-colons | grep "pub:-:" | cut -d: -f5
> This way, you can still sign in a public environment without
> compromising your secret key but ONLY because your secret key
> never gets stored on the public machine.
Are you sure?
Generally other people are not interested in stealing your secret
key, but let's assume again, the owner of an internet cafe is
interested in your secret key.
Doesn't have the admin/root access to all data used on a machine?
Let's say the key is used from a floppy or an usb-stick. In a linux
environment you have to mount the floppy / usb-stick and then the
keys are readable to root. I think of a simple shell script that
checks if the media is mounted and if, the content ist copied.
IMO it ends everytime in the question "can I trust them", if it is
not my own machine.
> secring.gpg file in your hands, a simple dictionary attack could
> undo many passphrases on the assumption that those who care this
> little for secret key security aren't going to have chosen a
> decent passphrase either.)
This assumption I hope is wrong. I don't know if they ignored what I
told them, but I think they have a valuable password.
BTW, I am searching for a linux-programm who tries to decrypt a
gpg-file by brute-force attack to show people how important it is
to have a good password. I would like to show them, how long it
takes to find a password of 1, 2, 3 a.s.o letters or a simple word
More information about the Gnupg-users