Re: [tlug] gpg (was) advice to consider upgrading to RH9

[Jonathan Byrne <jq@example.com>]

On Fri, Aug 15, 2003 at 04:32:37PM +0900, Shawn wrote:

>Is that really necessary to have two keys?  Is that safer that using
>
>#gpg --symmetric

I have two keys anyway, because you need that for all other functions
of PKI crypto, such as signing your email, or encrypting it if it
contains financial or other confidential information, so it's easier
just do it the same way for any file I want to encrypt than to 
do it one way for some things and maybe another way for others.

It also helps with organization, because if I always use a key
pair, then I don't have to sit and think "Did I encrypt that file
with symmetric or asymmetric?"  OK, that's more theoretical than
actual, since I have very few encrypted files, but for some people
it's probably a true practical consideration.

Now, for people who want to be especiall paranoid, they can keep
several key pairs around and use different key pairs (with 
different passphrases, of course) on a rotating or random basis,
and keep a file (also encrypted) that lists what file was 
done with what key, and keep that file only in removable storage
of some kind.  That way, even if an attacker had both your
file and your key ring (stole the disk and the computer, for
example), the attacker would have to figure out "OK, which one of
these six (or whatever) keys was used to encrypt that file?  S/he
would have no choice but to try bruteforcing the passphrase for
all of them, one at a time.

Of course, if a person is that watchful about crypto, the most
likely scenario is that s/he keeps her private keys in offline
storage all the time anyway, so stealing the computer would
do an attacker no good.  The key itself would have to be bruteforced,
and that probably wouldn't happen in the attacker's lifetime or mine,
and that's good enough.  I have no deep dark secrets that must be
hidden forever, and the validity of my bank accounts and such will
expire when I do.  Besides, if I had any deep dark secrets like
that, I wouldn't write them down on my computer, encrypted or
not - they would remain secrets in the only way possible: never
telling anyone and never recording them anywhere  :-)

I'm totally unfamiliar with ant, what is it?  I'll probably keep
doing things the way I do it now: if I want a file encrypted,
manuall do it.  Keeps things in one's head to do it that way.
Scripting things if a lot like a point-n-drool GUI.  It tends to
make people forget how to do it without the script :-)

Jonathan
-- 
gpg --keyserver pgp.mit.edu --recv-keys ACC46EF9

Attachment: pgp00042.pgp
Description: PGP signature