On Sat, 14 Jun 1997, Paul Bradley wrote:
It'd be nice to have more specifics about the whole situation, but regardless - any preliminary threat assessments? Exactly how widely exploited do you think this has been?
Tim's post (although refuted by Marc) raises some serious issues since I suspect that Joe Public has his secret key sitting in c:\pgp\secring.pgp
Some coherent input on the possible impact of this would be appreciated.
Basically the threat model is very simple:
Joe "slightly crypto-savvy pgp user" sixpack keeps his pgp keyring in c:\pgp on a dos/w95 box. The average user of any of the unices keeps his keyring in /usr/pgp or /usr/local/pgp it does not take a lot of attempts to go through most of the common places.
The very same guy probably has a password that is:
[snip]
Can you say "dictionary attack"???.
There is another, more insidious attack to worry about. Joe Cypherpunk has his PGP secret keyring in the "standard location". Joe Cypherpunk has also been posting to "Unpopular Usenet Group #666" (be it alt.religion.scientology or alt.clinton.fisting) using a nym(s) which have keys on the PGP keyring. All the perp has to do, once the secring.pgp is obtained is "pgp -kvv secring.pgp" and he now knows that Joe Cypherpunk and Secret Nym are the same person. This is a *BAD* thing. alano@teleport.com | "Those who are without history are doomed to retype it."