On 04/03/2017 04:16 AM, Peter Lebbing wrote:
On 03/04/17 08:25, Doug Barton wrote:
That said, as long as you have a suitable passphrase your risk of key
compromise is really, really minimal, even if they did get total control
over your device. Barring coercion, the chances of someone guessing your
passphrase is near zero. And currently that's the only way to gain
access to a secret key, even if you have it in your possession.
I might misunderstand what you mean.
Yes, you did. :)
But when somebody has full access
to your device, they can simply log your keystrokes when you type the
passphrase, and get your passphrase that way. Key compromise is very
well possible without you knowningly handing over the passphrase.
You are correct, but that's a different threat model than someone simply
stealing the device (which is what I wrote about). What you're
describing implies a level of sophistication and coordination on the
attacker's part that few of us are subject to, and certainly wasn't
included in what Will said he was trying to guard against.
More generally, it is impossible to use GnuPG in a meaningful way on a
compromised device.
Well, yeah, but, again, not relevant to my post. :)
Doug
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
