[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-core-devel
Subject:    Re: KWallet integration
From:       Daniel Stone <daniel () fooishbar ! org>
Date:       2003-09-04 11:38:34
[Download RAW message or body]


On Thu, Sep 04, 2003 at 12:52:37PM +0200, Rob Kaper wrote:
> On Thu, Sep 04, 2003 at 12:11:13PM +0200, Martijn Klingens wrote:
> > If root doesn't have the key it is always capable to retrieve it in a system 
> > that's in use. Encryption only helps against systems that are not and cannot 
> > be trojaned.
> 
> True, but that's no argument not to encrypt, or not to secure.

Yes.

As I said on IRC, I could get shot in the head while walking down the street. I
don't spend my life in a bombproof vest, however; I just try to avoid walking
down dark alleys in dodgy parts of the city at 4am when I'm too drunk to defend
myself.

Encryption makes life a hell of a lot harder for attackers; not impossible, just
harder. It's like MD5 passwords: do you (not you, Capsi; a more inclusive "you")
store all your passwords as crypt, or plaintext, simply because you could defeat
MD5 if you really felt like it?

I think most of this thread has missed the point; yes, you *could* defeat
KWallet's security if you really wanted to. However, you could also get my GnuPG
passphrase by attaching electrodes to my testicles; that's not a good argument
for me to put my unpassworded private key on a public location, though.

This is about relative security, and whether the merits outweigh the negatives,
not about whether backups could be potentially be cracked.

Do the merits outweigh the negatives?

-- 
Daniel Stone                                              <daniel@fooishbar.org>
http://www.debian.org - http://www.kde.org - http://www.freedesktop.org
"Configurability is always the best choice when it's pretty simple to implement"
  -- Havoc Pennington, gnome-list

[Attachment #3 (application/pgp-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]