On Feb 28, 2011, at 6:47 AM, Guy Halford-Thompson wrote: > Assuming I have password protected secret keys, can I assume that the > gpg private keyring is secure? I.e., if my private keyring was to > fall into malicious hands, would the aforesaid hands be able to > extract any useful information from my password protected keys? > > I am not taking about super-hackers cracking the keys here here... > just things like metadata associated with the keys... email addresses, > who has signed them, expiry date etc...
You can do quite a lot with stuff like this. Who signed who can tell you who this person has met, and often where. If you see a bunch of signatures around a particular date, look for a keysigning party on that date - now you have evidence they were there. Email addresses can reveal an enormous amount of information about a person. Robert and I did an experiment a few months ago where starting only from his public key, I was easily able to find out real-world addresses, parents names, siblings, etc. However, all of this information is available in the *public* key as well. There is no need for an attacker to get this from your secret key when he can just get it from a handy keyserver. Assuming you have a good passphrase on your secret key, the attacker can't get into it any more than he could get into a message you send. David _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
