On 2011-10-18 14:22, Robert J. Hansen wrote: > On 10/18/2011 8:10 AM, Jerome Baum wrote: >> If I manage to steal your private keyring, then yes the very strong >> passphrase should grind my attempts to steal your key to a halt. If I >> manage to steal your private _key_ OTOH, I don't need to get past your >> passphrase as that doesn't come into play. > > Nonsense. > > Have you looked at how GnuPG stores a keyring? It's a sequential series > of individual keys, one octet after another. There is no difference > between an individual private key and a keyring containing one entry.
Have you looked at my original statement? I recall making the distinction between a key* and a key-ring/-file, not between a key-ring and a key-file. > (Note: this was true as of early in the GnuPG 1.4 days, which was the > last time I seriously looked at the code. I'm going from a memory a few > years old here.) IIRC "nowadays" is store a separate file per key? > What you seem to be saying is "if I steal your decrypted key, which is > to say the raw key material...". Well, okay: but we already know that's > a game-over state, which makes your statement trivial. If you look at the original context you'll see that my statement wasn't so trivial. The OP asked "how can I prevent people from stealing my key*?" and one person answered "it's not a problem if people steal your key*, because it's passphrase-protected." In this context it might be a good idea to mention that stealing your actual key* from memory _is_ a problem, while stealing your key-file/-ring/-whatever is truly not so big a problem if your passphrase holds up. * I'm going to take the word to mean what it says: "key", not what I can flexibly interpret it as: "encrypted key". -- PGP: A0E4 B2D4 94E6 20EE 85BA E45B 63E4 2BD8 C58C 753A PGP: 2C23 EBFF DF1A 840D 2351 F5F5 F25B A03F 2152 36DA _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users