|
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
>> True. But they are the most common removable media, and the cheapest. So
>> it would be easy (and cheap) to make multiple diskettes. That, of course,
>> then introduces other security issues (such as losing one floppy
>> somewhere).
I've always been a big fan of using floppies. If someone were to break
into your flat, what's one of the first things they would steal? Your
computer, complete with hard drive and secret key. Floppies are portable,
so you can bring them with you when you leave the house, as well as being
easy to hide and quite innocuous looking. They are not as fragile as
their reputation might suggest, especially if you are mostly using it
for read-only access. Every year or so, you could easily transfer the
contents to a new diskette, and physically destroy the old one. Worse comes
to worse and the floppy fails, you use a disk-recovery tool, or destroy it
and get your backup copy.
> Which is why you should generate a revocation certificate immediately after
> generating keys, and keep it in more places than you keep your secret key.
> I really think generating a revocation certificate should happen
> automatically as part of "gpg --gen-keys".
No, this should be left as a choice. A revocation certificate is also a
very dangerous thing to leave laying around, and is in some ways more
dangerous than a secret key. If someone gets your secret key, they still
have to guess/crack your passphrase, which can be a Herculean task if
you have a decent keysize and/or passphrase. However, if someone obtains
your revocation certificate, they can immediately issue it and invalidate
your key. Sure, it rules out identity theft, but it would also be a royal pain
in the ass, having to explain what happened, generate a new key, rebuild
your web of trust, and losing the history of that key being used.
If someone steals your secret key, you can always get a backup copy, generate
a revocation certificate, and issue it. Someone would have to steal all
of your copies of your private keys at once to prevent this. This is possible,
but it is much more likely that a single copy of your revocation certificate
is stolen.
Greg Sabino Mullane greg@turnstep.com
PGP Key: 0x14964AC8 200206060917
-----BEGIN PGP SIGNATURE-----
Comment: http://www.turnstep.com/pgp.html
iD8DBQE8/2OmvJuQZxSWSsgRAilIAKDXLsfqSNU+la0ZBXMV/dZtp5OfRgCfSipP
mlMLdhWAZymNVOuVj2esW1k=
=wDA8
-----END PGP SIGNATURE-----
______________________________________________________________________
Philadelphia Linux Users Group - http://www.phillylinux.org
Announcements-http://lists.phillylinux.org/mail/listinfo/plug-announce
General Discussion - http://lists.phillylinux.org/mail/listinfo/plug
|
|