-----BEGIN PGP SIGNED MESSAGE----- - -----BEGIN PGP SIGNED MESSAGE----- I'm catching up on old mail... In response to my query, Adam Shostack <adam@bwh.harvard.edu> wrote:

| A quick question: Has anybody considered the possibility of hacking | something into PGP's password protection to allow an S/Key like access?

I thought of this, bounced it off a few people, none of whom caught the flaw. When I got around to implementing it, I realized that for it to work, your key would have to be securely stored on your unix box without encryption.

I caught that. What I was hoping for was something that would allow a key to be use for a specific purpose once and only once by a given passphrase. Ideally, this could be done on a machine that was totally insecure. I didn't catch the fundamental flaw, though. If the machine is compromised the key can always be compromised by taking an image of the previous state and replaying whatever passphrase was intercepted. Bummer. - - -- Todd Masco | "life without caution/ the only worth living / love for a man/ cactus@hks.net | love for a woman/ love for the facts/ protectless" - A Rich Cactus' Homepage - -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBLxLUPBNhgovrPB7dAQEn8gP8DrC3h9Dv21JGgg4Vsz/76gnUfnTJBPD+ PPyZ2gi2dzzQOVkYsxZBHQs7kRq6ZSANNbCfM5wY1GbBagZvv2gAPMx9bESudH+l wtoFcZGH5Az85O+k6FhN/QsOjJq/PaHUbNMui1Q+QKrMqU4I/UGCJCxAVRP8/wfS 8rLKzm7TxTU= =LxUH - -----END PGP SIGNATURE----- - --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service iQBFAwUBLxMPACoZzwIn1bdtAQH7DAF9EMimhI0J9JUN9bqaHhsz2opQXZSIQC+g D32kU3ELjC58Y4Ig3e9fLLrPoGtTub85 =Uq/c -----END PGP SIGNATURE-----