A few newbie Qs

[frank ernest]

The fact that you can't use the plain text and the cipher text to recover the private key is simply AMAZING. You really should mention that fact in the faq.

>> Is it polite to post saying that you want to sign keys with somebody 
>> on a random mailing list?
>
> Depends a lot on the mailing list.  I wish I could give clearer advice
> than that.

Ok, how about this one?
I also fequent the nano and curl mailing lists.

>> Is there a limit practical or imposed on the lenght of a passpharse?
>>  I'm thinking of a 740 char passphrase that, though containing 
>> sentences and, therefore, making sense, (though perhaps only to some 
>> sick people like me,) and also containing repetitions of words 4+ 
>> chars long, is really easy for me to remember. Do you think that it 
>> would be a good passphrase?
>
> No.
>
> English has about 1.5 bits of entropy per glyph.  Past about 384 letters
> you're not making things any harder to guess.  Long passphrases also
> silently encourage users to do risky things like cut-and-paste them.
> (It's very easy for malware to look at the contents of your clipboard
> buffer.)

So, what you are saying is that past 384 chars, a longer passpharse ceases to be worth the effort?
Did your figuring take into accout the fact that I'm using puntuation marks too (max 68+26*2 chars of entropy?)

Another worthwile Q, do people audit the gnupg source code for bugs? If so how often? (I'm thinking as I write this of an idiotic but in the openssl package. (The C in C is soft for S as in SANITIZE, not like K for KILL yourself.)) Yes, I could audit the source, but not for logical errors as I would not understand the algorithms involved.