On Wed, 29 Nov 1995, Adam Shostack wrote:

...

PGP is really not the issue. The issue is more my security and the environment that I use PGP in. I don't have a trusted machine to run PGP on. Anyone who wants to can come up to machine and copy my secret keyring or they can even watch me typing my password in.

Threat, please?? Do people often stand over your shoulder as you type?

Yes.

Enter your office,

Yep, especially my night cleaning staff.

point guns at you,

Not recently ... I'd co-operate fully in that situation, though.

and take a backup of your entire computer?

You mean like the on-site backups that I have in the filing cabinet beside me, or the off-site backups that aren't here (in case of fire, or such) nd are completely outside my control?

Have you considered putting the secret keyring on a floppy and locking it in your desk/safe when you're not actually in the office? (Or home..)

Yep, I've considerred it. It's still not all that helpful. Cleaning staff has plenty of time when I'm not around to deal with that.

...

So, I don't fool myself, and I don't use PGP, except for things like exchanging a one-time pad with someone when I've already sent the message out across another delivery mechanism, like on a floppy delivered my courier.

I don't follow. You're claiming that PGP is good enough to transfer OTPads, but not good enough to sign pseudononymous messages?

Sure. Two different situations. If I take a message or a data tape and encrypt it with a one time pad. And then I send the message out to someone via Greyhound or DHL. And once they've confirmed that they have the encrypted message safely in hand, then I'll call them and ask them to call me with their public key delivered by voice via telephone. Which I then use to encrypt the one-time-pad, using the PGP key only once. Then, I'm comfortable sending it (not the message, but the pad) over the Internet encrypted with PGP. And I think at that point, I have Pretty Good Privacy.

Adam

-- "It is seldom that liberty of any kind is lost all at once."

Alice de 'nonymous ... ...just another one of those... P.S. This post is in the public domain. C. S. U. M. O. C. L. U. N. E.