some beginner questions
Doug Barton
dougb at dougbarton.email
Mon Apr 3 15:29:08 CEST 2017
On 04/03/2017 04:16 AM, Peter Lebbing wrote:
> On 03/04/17 08:25, Doug Barton wrote:
>> That said, as long as you have a suitable passphrase your risk of key
>> compromise is really, really minimal, even if they did get total control
>> over your device. Barring coercion, the chances of someone guessing your
>> passphrase is near zero. And currently that's the only way to gain
>> access to a secret key, even if you have it in your possession.
>
> I might misunderstand what you mean.
Yes, you did. :)
> But when somebody has full access
> to your device, they can simply log your keystrokes when you type the
> passphrase, and get your passphrase that way. Key compromise is very
> well possible without you knowningly handing over the passphrase.
You are correct, but that's a different threat model than someone simply
stealing the device (which is what I wrote about). What you're
describing implies a level of sophistication and coordination on the
attacker's part that few of us are subject to, and certainly wasn't
included in what Will said he was trying to guard against.
> More generally, it is impossible to use GnuPG in a meaningful way on a
> compromised device.
Well, yeah, but, again, not relevant to my post. :)
Doug
More information about the Gnupg-users
mailing list