Why create offline main key without encryption capabilities

Suspekt suspekt at gmx.de
Sun Jun 1 22:20:48 CEST 2014


Am 01.06.2014 21:26, schrieb Hauke Laging:
> Am So 01.06.2014, 21:12:49 schrieb Suspekt:
>
>>> There are certain risks using the same RSA key for encryption and
>>> signing. If you make a blind signature over data someone supplied
>>> then you unintentionally decrypt the data (and send it back).
>>
>> I don't get it. Decrypting data by signing it?
>
> http://en.wikipedia.org/wiki/Blind_signature#Dangers_of_blind_signing
>
> I just remembered that and didn't read it again before mentioning it. It
> seems I have misunderstood it so that this is not a real-world problem
> (as NdK pointed out).
Glad to hear


>> Thats a good point! Also it will be interesting to explain the judge
>> the details of PGP, main keys and subkeys ;)
>> Probably we have to get an expert from the CCC for that
>
> I don't see any legal approach in Germany to force somebody to give his
> decryption key to the police. Don't forget that the police would not
> even need the decryption key to decrypt a certain message. You can give
> them the session key for this message.
Also, AFAIK, they can't put you into jail or fine you if you have 
forgotten the according passwords and sometimes those passwords are 
really hard to remember...



More information about the Gnupg-users mailing list