-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Josef Wolf wrote: > I wondered why /dev/random is not used.
A few reasons, any one of which would be sufficient. 1. /dev/random isn't available on all platforms. GnuPG's random number generator is. 2. /dev/random is exhaustible. This is a Bad And Wrong for crypto applications. 3. /dev/random is, as I understand it, an ad-hoc design. Many people who need crypto software need vetted, certified designs (even if the software itself isn't certified). E.g., some people may require ANSI X9.17 RNG. With a software RNG, it's fairly easy to just drop in whatever RNG you need. > It seems that "gpg -e --no-random-seed-file --lock-never -r foobar" > does what I want. With this, only a warning about trustdb not beeing > writable is issued. Can I safely ignore this warning? I'm not sure what can cause the trustdb to be updated, I'm sorry. For instance, if GnuPG sees that the system clock has advanced to the point where a key has expired, does GnuPG cause the trustdb to be updated? Etcetera. For this question, you're going to have to ask the GnuPG developers, since it depends on GnuPG internals. That said, my intuition--and beware of taking anyone's intuition too seriously--is that as long as you avoid modifying operations, the warning will be insignificant. > Does --no-random-seed-file force /dev/random to be used? Platform-dependent. Obviously, --no-random-seed-file won't force /dev/random to be used if you're on a system that has no /dev/random (e.g., Win32). You need to tell us the precise system environment before we can really answer these kinds of questions. > sendbackup runs gnutar as root and gpg as backupclient. To make sure > that [EMAIL PROTECTED] is not able to request unencrypted data, I > need to make sure that backupclient is not able to modify the > keyring. I'm having a cognitive disconnect here. How does the _client's_ inability to modify the keyring affect the _server's_ ability to request unencrypted data? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCgAGBQJFBcbPAAoJELcA9IL+r4EJ8A4IAKDsehJWrfvDSHhgHEo/3bm2 QjuBJpRDr2X9Ramsxp/Zed8b+Yi55JxJ8IsawGuDCZuOfQrnXK+ew+K8Etg8gHmh R4RbDCDyFofH0zVoRVvfEGRpYfXbE3Q+S4bvSBjbyg2MukS/0NwWxlndTM2414B6 aiNgzY26BJs429RaoEbh48QxNcco+PDSAsY8IK4Wz4yjnDjkmguUnai3pCqwmlA/ 9Qw2hYFiifBRu6lqFH1O0GLd1N9bvcJVyhz8LmjMCYuVTvDx6YxUtXg3fSl5zMo5 aC6NLrrRwNZegM02eLccQeyFCogwNCFq7RkMyUJlTjf16vIRG/NyCRvaSvbhF3Q= =pS3l -----END PGP SIGNATURE----- _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
