From: dmandl@lehman.com (David Mandl)
Date: Wed, 27 Oct 93 08:52:41 PDT
To: jrk@sys.uea.ac.uk
Subject: Re: Security of PGP private keys
Message-ID: <9310271518.AA03375@disvnm2.lehman.com>
MIME-Version: 1.0
Content-Type: text/plain


> From: jrk@sys.uea.ac.uk (Richard Kennaway)
> 
> PGP secret keys are protected by a password.  Yet people have said that one
> should not keep one's secret keyring on an insecure machine.  Why?
> 
> --                                  ____
> Richard Kennaway                  __\_ /    School of Information Systems
> Internet:  jrk@sys.uea.ac.uk      \  X/     University of East Anglia
> uucp:  ...mcsun!ukc!uea-sys!jrk    \/       Norwich NR4 7TJ, U.K.


1. Why take chances?  Once the evil intruder has the file, she can throw
test passwords at it from now till doomsday and might be able to crack it.

2. On shared machines, there are ways for users with the appropriate access
to read your keystrokes (like, for example, when you type in your pass phrase).
Anyone with that access should also be able to grab your secring.pgp with no
problem, and that's that.

   --Dave.