Re: Physical storage of key is the weakest link

[lcottrell@popmail.ucsd.edu (Lance Cottrell)]

tcmay@netcom.com tells us:
>Much more likely:
>
>* Diskettes left lying around. Secret keys on home computers.
>
>* Incompletely erased files. (Norton Utilities can recover erased
>files; mil-grade multiple-pass erasure may be needed.)
>
>
>A simple search warrant executed on your premises will usually crack
>open all your crypto secrets. (Fixes to this are left as an exercise.)
>
>Where to store one's secret key is an issue that makes academic the
>issue of whether one's key can be compelled. A diskette stored at
>one's home, in one's briefcase, etc., can be gotten. A pendant or
>dongle or whatever that stores the key can also be gotten. The
>passphrase (8-12 characters, typically) is secure, but not the key.
>
>--Tim May

If your passphrase is good (128+ bits of entropy), then your private key is
as secure as the messages that you send. Although it need be broaken only
once, I see no real danger of IDEA being compromised in the near future.
Given a good passphrase, I would suggest that you want multiple coppies of
your key to prevent loss or accidental destruction. My passphrase is > 30
characters. Fortunately Mac PGP remembers the key during any given session
so typing is kept down a bit.

--------------------------------------------------
Lance Cottrell  who does not speak for CASS/UCSD
loki@nately.ucsd.edu
PGP 2.3 key available by finger or server.

"Love is a snowmobile racing across the tundra.  Suddenly
it flips over, pinning you underneath.  At night the ice
weasels come."
                        --Nietzsche