Alan Olsen writes:
At 10:41 AM 1/31/97 -0800, Z.B. wrote:
My computer went into the shop a few days ago, and I was unable to take my PGP keys off it before it went in. What are the security risks here? If the repairman chooses to snoop through the files, what would he be able to do with my key pair? Will I need to revoke the key and make a new one, or will I be relatively safe since he doesn't have my passphrase?
Depends on how guessable your passphrase is. If you use something that would fall to a dictionary attack, then you are vulnerable. (Providing that they actually looked for your keyring and made a copy.)
If you had nyms on your keyring, then those nyms can be associated with your "true name" with no passphrase required. (Unless you keep your keyring encrypted. Private Idaho supports encrypted keyrings, but little else does.)
Other attacks would be installing a keyboard sniffer, replacing your PGP binary with a trojan that records your passphrase, etc. This sort of stuff is quite possible but not likely. Yet.
If you are really concerned about it, you could learn to do your own computer repairs.
Or put your PGP keys on removeable media. -- Eric Murray ericm@lne.com ericm@motorcycle.com http://www.lne.com/ericm PGP keyid:E03F65E5 fingerprint:50 B0 A2 4C 7D 86 FC 03 92 E8 AC E6 7E 27 29 AF