To further clarify, GPG is complaining about insecure memory because for your keys to be really secure it needs to lock the memory pages, which it can not do on your system as a normal user. In other words, prevent the OS from writing the memory to disk. You can choose not to do this if you want but you lose some security in choosing not too. SUID root has nothing at all to do with generating the keys as the root user. It only allows gpg to lock the memory page and it does the rest as the user you are running it as. This is not opinion, it's just the way things are.
I don't think those last couple emails you sent were very fair to Ian. He was trying to offer you help. He took the time to give you FACTS (That you could have found off the official webpage) and you blow-up in his face about him offering you his opinions. Not a very nice way to say thank you for the information. Call this flaming or whatever you want, I really don't care. I'm just trying to defend someone who took time out of his own schedule and tried to help you and didn't deserve the reaction he got back. -- Personal: Trevor Lauder Web: http://www.thelauders.net E-Mail: [EMAIL PROTECTED] Work: Trevor Lauder Technical Services Specialist Wireless Networks Inc. Web: http://www.wirelessnetworksinc.com E-Mail: [EMAIL PROTECTED] Garth Meisel said: > I see, nothing to really clear up. Sorry if you're sensitive. I call a > spade a spade when I see one. Maybe a little more security minded than > most and simply don't that I should agree with your opinion, that's > all. > So I'll take another stab at the same question and word it differently > now that you've made your points. > > Just because a key is generated as root, does that make it any more > secure than a key that is generated as a regular user that is not > connected to the Internet or any network at all? Keys are > transferable. This is also without the hindrance of sniffer programs > already running on the given system to capture keystrokes, passwords or > what have you. > > IMHO once the key is generated, I would think it's all over. Doesn't > matter if it's ROOT uid'd or not. Therefore, I would not setuid root > for a process that can be run as a user with the exact same results. > That's why, I value your opinion and other's opinions as well. Excuse > my English, it's not one of my talents. > > If I"m wrong and I probably am, I would sooner make the compromise of > having LESS secure email over leaving a security hole for someone to > attack given systems with. Just MHO again. > > So again, the question is, does GPG key generation matter if it's done > as root vs being done as a general user who is not connected to any > other computers that is not under surveillance ? Thanks. > > > > On Wednesday January 22 2003 14:55, you wrote: >> Well, I'll have to say, I'm a little unclear about the tone of your >> email. Before I make any further response, probably best that I toss >> it back your way to clarify whether you found my original response >> helpful or not. >> >> Ian >> >> On Wednesday 22 January 2003 1:09 pm, Garth Meisel wrote: >> > Unfortunately, the manual does not give OPINION's. >> > Setting UID root is just not going to hapen. >> > And, now I'll RTFM again. Brains as tiny as mine only hold so much >> information and this poor little sucker is best defined much like >> the Grinch's sled.
