Re: To gnupg or not to gnupg ... (was Re: Assertion while pui-list-packages)

Friday, 4 December 1998

        On 04 Dec 1998 05:32:33 PST, you said:
...
 Once I did manage to get it built (and after generating a secure key
 on a Linux box with /dev/random and importing it to the BSDI box) it
 spits this at me when stuff is signed: 
This is, in *general*, not the recommended procedure, for all the
obvious reasons having to do with people seeing the keys as they go by
on the wire or finding the floppy after you sneakernet it.  Now, if
you use sufficient care (such as using SSH with good crypto support),
you can close those exposures, but... ;)

...
 Um, what does having a weak RNG have to do with signing with a key
 generated with a strong RNG? 
Due to the above, the code is making an assumption that the key was
generated on the local machine.  It has no way of knowing that you
built it on a machine with a working /dev/random and played crypto
games behind its back...

-- 
				Valdis Kletnieks
				Computer Systems Senior Engineer
				Virginia Tech

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

1998

Re: To gnupg or not to gnupg ... (was Re: Assertion while pui-list-packages)