-----BEGIN PGP SIGNED MESSAGE-----
From owner-cypherpunks@toad.com Thu Dec 1 20:25:31 1994 Date: Thu, 1 Dec 1994 21:18:55 -0500 Subject: public accounts / PGP / passphrases To: cypherpunks@toad.com From: lmccarth@ducie.cs.umass.edu X-Server-Version: Cactus-Serv 1.1 Reply-To: cypherpunks@bb.hks.net Sender: owner-cypherpunks@toad.com Content-Length: 1705
Rather than assume that the "Reply-To:" field shown above is appropriate, I have Cc'ed your originating address as well. So, if you get two copies of this, you'll know why.
Could someone please elaborate on the foolishness of using PGP with a passphrase on a public machine (as I do) ? Am I wrong in thinking that my secret key is useless to an intruder until she guesses my passphrase ? I have no net access except via an account on a public machine, so I'm not about to start storing my secret key elsewhere, but I'll change my passphrase to <null> if it's irrelevant anyway. I just reviewed the PGP docs a bit and Phil says "Nobody can use your secret key file without this pass phrase.", which seems to contradict what many people on the list have said.
Postulate an unscrupulous sysadmin (or anyone who manages to get the password for 'root' via fair means or foul). Let's call him Charlie (since we know that neither Alice nor Bob would do such a thing :). Charlie could easily install a process which logs each keystroke you enter, thus capturing your passphrase in said log. Alternately, he could substitute a rogue version of PGP for the real version. This rogue version would function exactly like the real version (to avoid suspicion on your part), but would surreptitiously copy your secret key and passphrase into a log file. Admittedly, this kind of attack is far-fetched. As long as you are aware of the possibility, you are free to assess the likelihood of such an attack and proceed accordingly. - -- Scott Collins "Now, thanks to the computer revolution, many Alcatel Network Systems geeks make ten times as much money as you do." Richardson, Texas Canter & Siegel, the Green Card Lawyers -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQBFAwUBLt8tgyoZzwIn1bdtAQFxDAF/Vu1A4jQ5R0hW2OODcMMPCjeCFZG0aRvB OJDeQZi5hBGAVjVk2QOeCZR//zWvp1lC =Rpnk -----END PGP SIGNATURE----- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address belonging to the signature and forwarded.]