Remote signing
Stuart A Yeates
stuart.yeates at computing-services.oxford.ac.uk
Tue Apr 20 14:28:35 CEST 2004
Dave Symonds wrote:
> On Tue, Apr 20, 2004 at 10:56:04AM +0100, Stuart A Yeates wrote:
>
>>Let me see if I've understood you correctly:
>
>
> I think you have it slightly backwards...
>
>
>>You have a Sun which does all your you normal mail handling, and at
>>whose console you do do your computing. You have another laptop
>>connected to the Sun via a public network which has your secret key.
>>When you wish to use your public keys you use ssh to start a bash shell
>>(or similar) on the laptop, transfer your data, perform your operation
>>and transfer your data back. Possibly you have a script to automate some
>>of these connection/transfer/opration/transfer steps.
>
>
> The Sun does all the normal mail handling, but there is no console that I
> use to access it directly (only via ssh). The ssh connection from my laptop
> to the Sun is the only true TCP connection (made easier with a ssh keypair,
> private key on laptop). Other things can be tunnelled through the ssh
> connection.
It's still not clear where are the (ssh, gpg) keys stored, where are the
gpg cryptographic operations are performed and where the passwords and
passphrases are input and transfered.
> The GPG private
> key is stored on my laptop (with a passphrase), but is never sent over the ssh
> tunnel. When signing needs to occur the MUA will call out to some program or
> script that will use the ssh tunnel to send the email message back to the
> laptop, on which it will be displayed for checking. GPG signing takes place
> on the laptop, and the signed message is returned to the MUA.
Where does the MUA (or the program it calls out to) get the ssh password
and the gpg passphrase from?
If the ssh connection is establishable automatically, then an attacker
who has compromised the Sun can estalish a connection to the laptop. If
the connection is to a general purpose account, all sorts of badness may
result.
stuart
--
Stuart Yeates stuart.yeates at computing-services.oxford.ac.uk
OSS Watch http://www.oss-watch.ac.uk/
Oxford Text Archive http://ota.ahds.ac.uk/
Humbul Humanities Hub http://www.humbul.ac.uk/
More information about the Gnupg-users
mailing list