Thanks for the input. > As I mentioned, I am working on getting the s2k working for key generation, but even when that is implemented, private keys should still be regarded exactly the same as they are without a password. Brute forcing pgp keys (even with s2k type 3: salt + iterator) should be regarded as a viable attack for security considerations.
I agree that a private key should be handled with care. But I would like to add a comfortable solution to safewith.me for getting a private key from your PC to your iPhone. Also I wouldnt want to leave the key just in the private storage of the users browser. If they accidentaly cleared the localstorage or they somehow lost access to their pc, they would also lose access to their files. Syncing their keys to a keyserver which is seperate from the storage server, would probably make the most sense. This may add an additional vulnerability to the system, but would greatly raise availability of the data. Also it would be more secure than having the user email his keys to himself, which is the behavior that may be promoted if no solution is offered. What do you think? Tankred
_______________________________________________ http://openpgpjs.org
