[clue-tech] Some thoughts about GnuPG.

[Jed S. Baer]

On Sat, 04 Sep 2010 14:57:52 -0600
David L. Anselmi wrote:

> Hmm... Maybe I don't want the key to ever hit my hard drive.  Nor any
> OS that's connected to a network.  Normally I wouldn't bother with
> extra paranoia if it's inconvenient but how hard would it be to make
> the key and archive it using a live CD?  And could the key be stored on
> the live CD that created it?  (Well, OK, that last is just showing off.)

Okay Dave, you get points for being even more paranoid than I.

Unless you're worried about some process reading memory and leaking info
after the fact, why not just shut your network off (or even unplug the
network cable) while you're generating your key?

Despite my not using it (except for web SSL), I'm actually a big fan of
using encryption for data transmission. The barrier to doing so is
finding recipients who are willing to put in the effort, and who will do
it properly. I'm aware of plenty of people who don't understand the
importance of identification for key signing. I suppose in some contexts,
that might be OK (as in 'I know this key is from the forum poster
identified by my_kewl_nicname') except that I don't know there's a way to
attach comments to a signature (maybe there is) and even if you did, a
lot of people would either not read them, or not realize the significance.

The other thing I worry about is that the only way PGP type PKE will
become widespread will be with a lot of really inadequate passphrases. If
I'm going to encrypt something to somebody using their public key, how I
do I know their passphrase isn't something like 'I l0ve bacon'?

Although I do have a few memory tricks in mind for these sorts of things,
my other worry is that I won't be able to remember a passphrase of
sufficient complexity.

-- 
Ok, so we should be thinking of a lovable, cuddly, stuffed penguin
sitting down after having gorged itself on herring. Still with me? 
 -- Linus Torvalds