The fact that you can't use the plain text and the cipher text to recover the private key is simply AMAZING. You really should mention that fact in the faq.
>> Is it polite to post saying that you want to sign keys with somebody >> on a random mailing list? > > Depends a lot on the mailing list. I wish I could give clearer advice > than that. Ok, how about this one? I also fequent the nano and curl mailing lists. >> Is there a limit practical or imposed on the lenght of a passpharse? >> I'm thinking of a 740 char passphrase that, though containing >> sentences and, therefore, making sense, (though perhaps only to some >> sick people like me,) and also containing repetitions of words 4+ >> chars long, is really easy for me to remember. Do you think that it >> would be a good passphrase? > > No. > > English has about 1.5 bits of entropy per glyph. Past about 384 letters > you're not making things any harder to guess. Long passphrases also > silently encourage users to do risky things like cut-and-paste them. > (It's very easy for malware to look at the contents of your clipboard > buffer.) So, what you are saying is that past 384 chars, a longer passpharse ceases to be worth the effort? Did your figuring take into accout the fact that I'm using puntuation marks too (max 68+26*2 chars of entropy?) Another worthwile Q, do people audit the gnupg source code for bugs? If so how often? (I'm thinking as I write this of an idiotic but in the openssl package. (The C in C is soft for S as in SANITIZE, not like K for KILL yourself.)) Yes, I could audit the source, but not for logical errors as I would not understand the algorithms involved. _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
