Re: RFC: gnupg
Zed Pobre <zed@moebius.interdestination.net> wrote:
> Old developer A creates a new GPG key, extracts it, signs with his
> old PGP key and sends it in. Verifying developer B receives the
> message, verifies and strips the PGP signature. Unfortunately, he's
> foolishly doing this on a machine where he's not root, or doing it in
> a user-writable directory. Nasty intruder C knows that A was planning
> on sending in a new key, and has spoofed a key with his name, and
> encoded it. Since he happens to be root, or at least a user with
If root is compromised on a machine used for PGP, nothing is secure.
Root can intercept keystrokes used for the pgp password, and can
replace the entire keyring.
--
Raul
--
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: