Remote signing
Ian Bruce
ian_bruce at fastmail.fm
Wed Apr 21 01:21:45 CEST 2004
On Tue, 20 Apr 2004 22:39:51 +1000
Dave Symonds <dasymond at it.usyd.edu.au> wrote:
> On Tue, Apr 20, 2004 at 01:28:35PM +0100, Stuart A Yeates wrote:
> > >The Sun does all the normal mail handling, but there is no console
> > >that I use to access it directly (only via ssh). The ssh
> > >connection from my laptop
> > >to the Sun is the only true TCP connection (made easier with a ssh
> > >keypair, private key on laptop). Other things can be tunnelled
> > >through the ssh connection.
> >
> > It's still not clear where are the (ssh, gpg) keys stored, where are
> > the gpg cryptographic operations are performed and where the
> > passwords and passphrases are input and transfered.
>
> All private keys are kept on the laptop, as is the GPG operations. The
> passphrases are entered directly onto the laptop. Emails are entered
> into the Sun via the ssh tunnel, but the actual privacy is not really
> an issue, only the integrity.
It appears to me that there is some mutual misunderstanding involved in
this conversation. As far as I understand, the situation is as follows:
The human user is physically seated in front of his own laptop computer,
on which is stored his GPG secret key. There is an SSH session
connecting that laptop to a remote Sun computer. The mail client is
running on the Sun machine, with its console I/O tunnelled over SSH to a
terminal process running on the laptop. It is proposed that when the
mail client sends a message, it will first provide the message text to a
script running on the laptop, using the same SSH session. That script
will then prompt the human user for the GPG passphrase, sign the message
text, and return it to the mail client on the Sun. The message will then
be sent using the normal SMTP protocols.
As far as security is concerned, the important point is that neither the
GPG key nor passphrase will ever leave the laptop. They are entirely
separate from the SSH key. If the Sun machine or the SSH session are
compromised, the worst that can happen is that the human user will be
tricked into signing a bogus message.
Is that about right?
Assuming that it is, I have to ask why you wouldn't just run the mail
client on the laptop and avoid all the extra complication. You can then
either tunnel the IMAP and SMTP connections over SSH or just use
IMAP/SSL and SMTP/SSL directly.
Ian Bruce
More information about the Gnupg-users
mailing list