[prev in list] [next in list] [prev in thread] [next in thread] 

List:       winpt-dev
Subject:    Re: [WINPT DEVELOPERS] [Q] Customization
From:       Timo Schulz <twoaday () freakmail ! de>
Date:       2003-05-22 7:22:18
[Download RAW message or body]

On Wed May 21 2003; 18:16, Daniel Carrera wrote:

> You see, I figure that I'll have to show them how to install WinPT and 
> then they'll go home and do it.  Asking them to remember to change a bunch 
> of values will significantly complicate the process.  In fact, if I can't 
> get the "customized" WinPT I'll probably only mention the word-wrap 
> setting and leave everything else the same.

A good idea. I guess the default WinPT values are secure and easy
enough for most people. I will propably divide the key generation
dialog like PGP does (wizard+expert).


> > the keysize is only one limb in a chain called security. A 2048 key
> > won't help much if you use weak passphrases. So what's wrong with 1792?
> 
> The 2048-bit key was just a small addition.  I figured I'd ask since I was 
> already asking for some settings to be changed.

OK, so this would be no problem.


> > To use such a value by default make attack scenarios more likely. 
> > I don't know how safe the machines of the customers are, but 30
> > minutes is a long time.
> 
> Really?
> What kind of attack scenarios are more likely?

Maybe some scenarios are too paranoid, but a trojan could search for
the passphrase into the memory or a malicious program could invoke
GPG to sign a bad contract or whatever. And the longer the passphrase
is hold in memory the bigger is the chance it gets swapped.

 
> Most of these people will be using the computers from home.  Perhaps I 
> should explain the situation a bit more:
[snip: thanks for the explanation]
> distribute CDs that they can "just install".  This would free up more time 
> to explain the concepts behind GnuPG and how to use it properly.

I agree that cryptography should be easier to use and I want that WinPT
is useable by all kind of people. _But_ I always see a little problem,
if you don't know any details about the schemes, it's much easier for
an attack to fool you.

 
> know why they must be wary of messages that are not signed.  And they need 
> to learn the proper way of exchanging keys.

Yes, that's true.


> > Yes, I see the point and I agree with you. But I guess something like
> > an admin application to control WinPT is a better approach.
> 
> What is PGPAdmin?  Where can I get it?
> If it can solve my problem it would be wonderful.

PGPAdmin is part of PGP and *only* useful for this app. I just used it
as a general example because it's a good comparision.


> I don't have a Windows computer, so I can't easily compile Windows 
> programs (in fact, I have no clue how I could).

I will try to set more default values for 0.8 but before you could
simply use a registry script to set the word wrapping to 70 and to
set the other options. Then people only need to double click the script
and all values are set and there is no need to do it manually.


> > for admins to do mass installations of WinPT without the need to 
> > configure each version.
> 
> That sounds very much like what I'm trying to do.
> Could you send me a link to PGPAdmin?

As I said before, it's part of PGP (http://www.pgp.com).


> Is 70 a good size to pick?

Yes, 70 or 72 is a good choice.


> Thanks for your help.  I apprecaite it.

I'm glad to help whenever it's possible.


        Timo

-- 
Windows Privacy Tools            "Der Tugendhafte begnügt sich, von dem zu 
(http://winpt.sourceforge.net)    träumen, was der Böse im Leben verwirklicht."
OpenPGP Key 0xBF3DF9B4           -- Platon



[prev in list] [next in list] [prev in thread] [next in thread]