A few newbie Qs

frank ernest doark at mail.com
Mon Apr 28 21:48:04 CEST 2014

The fact that you can't use the plain text and the cipher text to recover the private key is simply AMAZING. You really should mention that fact in the faq.

>> Is it polite to post saying that you want to sign keys with somebody 
>> on a random mailing list?
> Depends a lot on the mailing list.  I wish I could give clearer advice
> than that.

Ok, how about this one?
I also fequent the nano and curl mailing lists.

>> Is there a limit practical or imposed on the lenght of a passpharse?
>>  I'm thinking of a 740 char passphrase that, though containing 
>> sentences and, therefore, making sense, (though perhaps only to some 
>> sick people like me,) and also containing repetitions of words 4+ 
>> chars long, is really easy for me to remember. Do you think that it 
>> would be a good passphrase?
> No.
> English has about 1.5 bits of entropy per glyph.  Past about 384 letters
> you're not making things any harder to guess.  Long passphrases also
> silently encourage users to do risky things like cut-and-paste them.
> (It's very easy for malware to look at the contents of your clipboard
> buffer.)

So, what you are saying is that past 384 chars, a longer passpharse ceases to be worth the effort?
Did your figuring take into accout the fact that I'm using puntuation marks too (max 68+26*2 chars of entropy?)

Another worthwile Q, do people audit the gnupg source code for bugs? If so how often? (I'm thinking as I write this of an idiotic but in the openssl package. (The C in C is soft for S as in SANITIZE, not like K for KILL yourself.)) Yes, I could audit the source, but not for logical errors as I would not understand the algorithms involved.

More information about the Gnupg-users mailing list