Sidd: >Even if I get you PGP private key, I need your PGP password >to decrypt the key!
Yet, with the ability to suck the private key off a user's hard drive, which has been assumed here, but has not been demonstrated, a simple keystroke log should get the PGP password, one would think. I suspect it is harder than has been assumed here for the purpose of discussion to pull the private key off someone's hard drive. But, if that capability exists, how much harder could it be to keystroke log the user until you have his password? Fairly easy I would suspect. Which makes me wonder why the sort of virtual keyboard used at e-gold.com, or the CryptoCard technology used at e-Bullion isn't integrated into the next versions of PGP. (I suppose it will have to be done by the OpenPGP developers, since I gather that Network Associates are not wanting to invest further in upgrades to PGP as a commercial software product.) I had heard that there was significant vulnerability in the password of PGP back in 1996 from a business associate who claimed to be knowledgeable about such things. Good to know it is fixed in the latest GnuPGP. Regards, Jim http://cambist.net/ --- You are currently subscribed to e-gold-list as: [email protected] To unsubscribe send a blank email to [EMAIL PROTECTED] Use e-gold's Secure Randomized Keyboard (SRK) when accessing your e-gold account(s) via the web and shopping cart interfaces to help thwart keystroke loggers and common viruses.
