Re: RFC: gnupg

To: Zed Pobre <zed@moebius.interdestination.net>, Debian Developers List <debian-devel@lists.debian.org>
Subject: Re: RFC: gnupg
From: Raul Miller <rdm@test.legislate.com>
Date: Sun, 5 Jul 1998 21:12:10 -0400
Message-id: <[🔎] 19980705211210.E786@test.legislate.com>
Mail-followup-to: Zed Pobre <zed@moebius.interdestination.net>, Debian Developers List <debian-devel@lists.debian.org>
In-reply-to: <[🔎] Pine.LNX.3.96.980705192437.11173B-100000@moebius.interdestination.net>; from Zed Pobre on Sun, Jul 05, 1998 at 07:27:18PM -0500
References: <[🔎] 19980705202324.D786@test.legislate.com> <[🔎] Pine.LNX.3.96.980705192437.11173B-100000@moebius.interdestination.net>

> >If root is compromised on a machine used for PGP, nothing is secure.
> >
> >Root can intercept keystrokes used for the pgp password, and can
> >replace the entire keyring.

Zed Pobre <zed@moebius.interdestination.net> wrote:
>     Which would leave you with a keyring with keys with no signatures,
> since not even root on master can fake my signature on a key.  I think
> someone would notice.  A major compromise will compromise all new
> developer keys, certainly, but that was never an issue in my mind since
> it is common to all versions.

Ok, if that's all you're worried about, it can be addressed by making
public (for example: some place on the web site) the pgp signed instance
of the gpg public key.

-- 
Raul


--  
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

References:
- Re: RFC: gnupg
  - From: Raul Miller <rdm@test.legislate.com>
- Re: RFC: gnupg
  - From: Zed Pobre <zed@moebius.interdestination.net>

Prev by Date: Re: autoup.sh availability
Next by Date: Re: libc6_2.0.7r-3 considered harmful
Previous by thread: Re: RFC: gnupg
Next by thread: Re: RFC: gnupg
Index(es):
- Date
- Thread