On 4/19/11 3:17 PM, Mike Acker wrote: > On 04/19/2011 14:35, gnupg-users-requ...@gnupg.org wrote: >> Maybe because, since this is the support list for GnuPG, we are all >> thinking more about how to protect an encrypted file than about how to >> protect a server account. > relevance? > > what difference does it make if I am discussing a server logon or the > password for a .zip? 3 strikes, you're out would be good on the server > but for the .zip the delay after bad makes more sense > > if i delay responding to a bad password for 1 second the speed of your > processor become irrelevant: you now need 1000 vm's to get to 1m > tries/sec. and there's no real reason i wouldn't make it 10 sec after > the 2d bad try, and then 30 min after the 3d -- like the Novell server > used to do >
For an OS or some rpc call, a three strikes rule makes sense. An attacker is attacking from an outside system, you still have control of your system, and the login is a barrier between the two. But an encrypted file can be on the attacker's system. We could conceivably add a three-strikes option to gnupg, but since the OpenPGP standard is published and gnupg is open source, a malicious user could just write their own program that doesn't have a delay, or run a modified copy of gpg. It's the same with a zip file. You can't enforce the rule in any reliable way. -- Grant "I am gravely disappointed. Again you have made me unleash my dogs of war."
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users