commons-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Noel J. Bergman" <n...@devtech.com>
Subject RE: [doc] how to release - feedback
Date Tue, 02 Sep 2003 01:35:34 GMT
> > As a voting matter, I'd be -1 (policy, not veto) for storing
> > private keys on the server.

> Is this due to security, or a personal preference?

Security.

Although it has happened only once, as far as I know, if there were a
security breach, it would make things even worse if many, or all, of the
signing keys were compromised at the same time.  We can validate CVS content
from backup and logs, but why put signing keys at risk by encouraging
developers to have them on minotaur?

Even if you use a passphrase, someone could use a custom cracker/decoder to
crack it, and have access to your private key.

ref: http://pgp.dtype.org/pgpnet/pgp-faq/faq-03.html#3.9
     http://www.ephesus.com/Encryption/Passphrase.html
     http://www.unix-ag.uni-kl.de/~conrad/krypto/passphrase-faq.html
     http://www.stack.nl/~galactus/remailers/passphrase-faq.html

Cracking public key encryption might be hard, but cracking someone's
passphrase can be all too easy.

	--- Noel


Mime
View raw message