private key protection
peter at digitalbrains.com
Tue Oct 18 15:22:48 CEST 2011
On 18/10/11 15:05, Robert J. Hansen wrote:
> On 10/18/2011 8:36 AM, Jerome Baum wrote:
>> Have you looked at my original statement?
Oddly, I don't recall Jerome ever making a statement remotely like "If I steal
your decrypted key, ...". I only remember him stating that he thought, as did I,
that the OP meant that he wanted ways to prevent people stealing his secret key
material when he said: "what is the best way to protect
your private key from getting stolen?". Anthony interpreted it as somebody
stealing the keyring, and Jerome disagreed on that interpretation. As do I.
>> I recall making the distinction between a key* and a key-ring/-file,
>> not between a key-ring and a key-file.
> A distinction that has been lost on apparently everyone here. Please
> use accepted terminology.
When reading the thread, I wasn't for one moment confused about the intended
meaning of the word "key" when Jerome used it.
Funnily enough, Jerome was correcting Antony, and Antony replied:
"Rereading the post, you're probably right."
Which I think means the distinction was also not lost on Antony.
>> If you look at the original context you'll see that my statement
>> wasn't so trivial.
> I have been: your statement is trivial.
Produce the exact trivial statement, please, in a quote. Otherwise we'll never
be able to determine it's triviality.
Because I only see Jerome asserting:
- That the OP probably meant "raw secret key material" when he said key (my own
- That the distinction between a keyring/-file and a key as he meant it was that
the one was protected by a passphrase and the other was not, as it was the raw
secret key material.
I don't see the triviality.
What I do consider trivial is this silly bickering over who said what, when and
what the other one meant when he wrote what he wrote.
> If the attacker already has read-wherever access to memory, the attacker
> can do orders of magnitude worse than steal private key material.
Just as a sidebar, I disagree. The access to my private key would be the worst
thing, the rest of my computer memory is much less interesting.
> You're saying here, "if you assume the computer is already in a
> game-over condition, then it's game-over." Which is true, but it's also
> pretty close to the canonical example of trivial.
No, he never said that. It would come closer to truth to state he said it's game
over, but he did not say that when it's game over, that then it's game over. I'm
not going to assert what he actually meant when he said the exact words he said,
because that is something which is out of reach for all of us except Jerome or a
really good brainscanner attached to Jeromes head while he writes mails. Seriously.
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at http://wwwhome.cs.utwente.nl/~lebbing/pubkey.txt
More information about the Gnupg-users