From: Steve Reid <steve@edmweb.com>
Date: Mon, 29 Apr 1996 15:06:24 +0800
To: Alan Olsen <alano@teleport.com>
Subject: Re: PGP and pseudonyms
In-Reply-To: <2.2.32.19960428231217.00ac5b6c@mail.teleport.com>
Message-ID: <Pine.BSF.3.91.960428165931.10757A-100000@kirk.edmweb.com>
MIME-Version: 1.0
Content-Type: text/plain


> >this pseudonym. If this person's secret keyring were stolen, could
> >person=pseudonym be revealed, based on the key ID? Or would it require
> >knowing the passphrase? 
> 
> Yes, the person=personna would be revealed.  No, a passphrase would not be
> needed.
> To demonstrate try "pgp -kv secring.pgp" and see what you get.

I kinda figured that... I was just wondering if maybe the info could be
altered, so that the real info can't be figured without getting the
passphrase. 

> I hope this gets fixed in PGP 3.0.

I guess pseudonymity(sp?) wasn't the main concern when PGP was created.

I suppose a temporary fix would be to not use an ordinary PGP passphrase,
but rather encrypt the whole secring.pgp file. Decrypt it when you need
it, and be very careful to properly clean up when you're done. 


=====================================================================
| Steve Reid - SysAdmin & Pres, EDM Web (http://www.edmweb.com/)    |
| Email: steve@edmweb.com   Home Page: http://www.edmweb.com/steve/ |
| PGP Fingerprint: 11 C8 9D 1C D6 72 87 E6  8C 09 EC 52 44 3F 88 30 |
|              -- Disclaimer: JMHO, YMMV, IANAL. --                 |
===================================================================:)