Some questions

Faramir faramir.cl at gmail.com
Fri Aug 8 12:03:25 CEST 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

zulag escribió:
> 1. The GnuPG documentation states that "--export-secret-key" is "a
> security risk". Since no passphrase is asked, I imagine the exported
> key is not clear text. So why is it a security risk ? Because it would
> make it impossible (useless) to change the secret key passphrase later
> if the exported encrypted file goes public ?

  I suppose it is clear text, and that would be the reason for the
"security risk" warning. The idea about export a secret key is to import
it in other place, so it must be cleartext... unless you want to back up
it, in that case, you can encrypt it right after exporting it... But all
this is what I suppose, since I don't remember having exported a secret
key from command line.

> 2. Is it a bad practice to encrypt a file and then "clearsign" the
> encrypted file instead of doing directly "-ea" (with which we cannot
> check the signature before extracting, if we ever wanted to) ?

  I remember somebody asked the same question a couple of months ago,
and the answer was:

  If you encrypt it and then sign it, if somebody steal the message, he
would get the sender's key ID from the signature. If you sign it and
then encrypt it, the thief would not have any info about the sender.

  I suppose decrypting a file is not a security threat, so there should
not be a problem if you decrypt a message and just then you notice it
doesn't come from the sender... (invalid signature).

 Best Regards
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQEcBAEBCAAGBQJInBntAAoJEMV4f6PvczxAJxoH/RMNrkG0qUQQu4D+E7roB0hA
vEhlzD2EmASVMZQLOMBVKecZ4MP4lM78WeZCBhaggeeuNvxJo6DQby+k+OY+hjot
dNGTbgKeJOY/gFg/wCtkUu86VbODH0/vVH1NB66NAoypuvEyTW3v4DlTcEmo8Fsh
j1BXOnSMYc/KDu103zdaLkeQtesHQcpAXjwDoYlwxjxSrfQl7lQmoL8q5g9Wgsqv
nIAz7umtmleU0qdI4zdgNUYYENQrB5TSgh1618/DQj0X1+YCdDt7hY8QMFQ/Y7CT
GhzBI7EkcJm22eRoTi7pljKv2s3Af/cY0JKgki7S8gDczCjkCEoqT8y+8thN8ho=
=N7WC
-----END PGP SIGNATURE-----

More information about the Gnupg-users mailing list