> Am 09.04.2017 um 04:20 schrieb Robert J. Hansen <r...@sixdemonbag.org>: > >> BUT, leaving your private key on your laptop, tablet, or phone is >> about as secure as leaving a spare key to your house under the door >> mat. > > This is not true, not for any sensible definition of 'secure‘.
„secure“ is not a one-dimensional scale with „yes“ and „no“ at each end. Precise definitions are only useful for specific attack vectors. Standards and laws like NIST 800-63 or eIDAS give a good overview on various risks, as they have been trying to squeeze them into assurance levels to reduce complexity. > > My passphrase is literally 16 random bytes read from /dev/random, base64 > encoded, to produce a passphrase of 128 bits strength. If you'll pay to > run the ad, I'll happily publish my private key in the newspaper of your > choice. Yes, I'm serious. > > If your private key is at risk of being seen by your adversaries then > it's extremely important to have a good passphrase. But so long as you > do, your private key is safe. A long and random passphrase is a good measure against dictionary and brute force attacks. It does not defend against malware sniffing the keyboard or scraping memory pages. It protects your /encrypted/ private key, but not during signing and encryption. Moving operations needing the unencrypted key to a smartcard provides additional protection on an infested system. Smartcard readers with pinpads and displays add defense against certain attacks that are possible against a Yubi-/Nitrokey-type reader. - Rainer _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
