Silk Road forums

Discussion => Security => Topic started by: SelfSovereignty on December 15, 2012, 06:07 pm

Title: Vendors: plz use strong PGP keys so I can give you my moneyz...!
Post by: SelfSovereignty on December 15, 2012, 06:07 pm
Yeah, hi there.  So, twice now I've been in the process of setting up an order for about half a grand, and had to stop and give up on the idea because of a weak PGP key.  I'm no longer comfortable encrypting an address I'm going to be at to receive a package if the PGP key is less than 2048 bits long.  Weird stuff's been going on lately, we all know that, and I'd rather be free and with shitty drugs than in prison with no drugs, know what I mean.  Yep, I'm paranoid.  I've also done drugs for over a decade and have never been arrested.  I happen to think that's not coincidence.

Sooooo... you like dolla-dolla bills and all?  Yeah, me too.  Difference is, I like drugs more and give lots of money to people for their drugs.  So, how many bits does YOUR key have?  Think you may have lost a few $500+ orders because your key's too weak?  Honestly, I'm not trying to help you.  I'm trying to help me.  Use stronger keys so I can give you my money, damn it!    ::)

"Well then say something to the vendor!"  Yeah, I've done that before.  No go.  Too much hassle to change it once established, I guess.  But I'm not joking, two guys lost $500 of my dollars today.  I may be the only one, but at one lost order a week like that, it's over $20k/year.  That's some poor fucker's whole income.

Oh, and for the love of God, use your Silk Road account name in the name or comments or email or fucking something so I don't have to look up and verify every fucking time I order that I'm using the right key... we end up with fucking dozens of these things, and if I have to remember to identify your key under a name different than the Silk Road name I'm ordering from... that's just one more little reason to pay somebody else, ya know.
Title: Re: Vendors: plz use strong PGP keys so I can give you my moneyz...!
Post by: Ballzinator on December 15, 2012, 08:26 pm
Yeah, hi there.  So, twice now I've been in the process of setting up an order for about half a grand, and had to stop and give up on the idea because of a weak PGP key.  I'm no longer comfortable encrypting an address I'm going to be at to receive a package if the PGP key is less than 2048 bits long.  Weird stuff's been going on lately, we all know that, and I'd rather be free and with shitty drugs than in prison with no drugs, know what I mean.  Yep, I'm paranoid.  I've also done drugs for over a decade and have never been arrested.  I happen to think that's not coincidence.

Sooooo... you like dolla-dolla bills and all?  Yeah, me too.  Difference is, I like drugs more and give lots of money to people for their drugs.  So, how many bits does YOUR key have?  Think you may have lost a few $500+ orders because your key's too weak?  Honestly, I'm not trying to help you.  I'm trying to help me.  Use stronger keys so I can give you my money, damn it!    ::)

"Well then say something to the vendor!"  Yeah, I've done that before.  No go.  Too much hassle to change it once established, I guess.  But I'm not joking, two guys lost $500 of my dollars today.  I may be the only one, but at one lost order a week like that, it's over $20k/year.  That's some poor fucker's whole income.

Oh, and for the love of God, use your Silk Road account name in the name or comments or email or fucking something so I don't have to look up and verify every fucking time I order that I'm using the right key... we end up with fucking dozens of these things, and if I have to remember to identify your key under a name different than the Silk Road name I'm ordering from... that's just one more little reason to pay somebody else, ya know.
+1
It's especially annoying when the name in a PGP key differs from their username so I have to do "gpg --list-keys" and scroll through the fucking list every time I want to encrypt something.
Title: Re: Vendors: plz use strong PGP keys so I can give you my moneyz...!
Post by: Boyd Crowder on December 16, 2012, 01:44 am
I'm hopeless with pgp. Any chance one of you guys can check out my key and let me know how safe it is?

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQENBFC9mqUBCADwsInvWZmOT4eKxKiWSz8VPtROXvgkU5ZtEX+H87myDRI7NK/u
fQJwTILQx2Acsk9tDQNeA4xbsDdmsNhxfjgt0EFxwaVV86adqQ71nRh8zc6A8NyD
fLbgQMIvmlZwc35C8e15+8qFe2IXgb7k9kjMb/9/GNuc0ZGx6NReIjTLsUpwaRju
mGf4758Ea8WW2fBCK4khfJmTK6rsRDiV+KjxGdMwNntKlBAqZQrRxT+EZHEw9ltO
zj6nY9mVtvw6A7FgaSdPraXNuZd671QitKYR52PvtR4XJKwh7IaIBc12xeYUmBOH
/9J2oI90FqaYMfpKRD+tZWP0D6q7h16BsBLNABEBAAG0D0JveWRDIDxib3lkQHNy
PokBPwQTAQIAKQUCUL2apQIbLwUJB4YfgAcLCQgHAwIBBhUIAgkKCwQWAgMBAh4B
AheAAAoJECMoHQChClztcQcH/1fCWuKmVk1dHEu2H70OhKmWdPURdmCy15gMqM4M
y0CdwlBtcFV6ZRWks7zQMdRCc9TL4TA3TxrfG1J/df8Ll+2Lmq5a5AZLbFQi/aIw
4KwDTSGVgsAlDAx720c9e58VUHTQofGJoEJrDpQ3NXj91JoFAUC80REvyFA2APxy
YDGfFZYkQdJmKqedm8U/OIusPijLLZ6m0fd7rK8LNkztDwOlDjodQ3bT5PHAsqOK
+0UJg1vV6cYJvsfhKC9DcqZQWuLCKvmMUXLFHeV+FmlwYZGYpQXB+zUxQy4J4hD9
5AvlHuxR8Zfos8dknUGmXJpNVpZYDaMRNKPAnLLt4Xf69x25AQ0EUL2apQEIAK46
7nN7w+rF2YNrYgnx2OxTzSozNgXNc5AR5SgFCHS0758dIrnI9ZXEovyCqLLVNcx0
ldmDESdCKdTurSFQOD04oQaaAGK3pYcvivJAJOAeCZ5wUDi7TJ2TMTtv8bW0RdX6
ALcXAjg/ecy990cabbyN+fd3CZ7az07ZNLGK4eByTMAGU+FvxWhE/7sCWuUXpATl
oqv7SJm/E0tBKbNpgWB58r4F61i2QxFnSkCfwO1tG3hMMINxy6qFesf21/Hi2TeV
7HcVGksp0b1ARnLd+DwSL7eyHrRM8ONEh9c7WNaRKr9dH9g5rb9AVRCUYfmNLvpL
3GxLZg2rbDoaJQf0unMAEQEAAYkCRAQYAQIADwUCUL2apQIbLgUJB4YfgAEpCRAj
KB0AoQpc7cBdIAQZAQIABgUCUL2apQAKCRBaYGiYQtHr2vYPB/sHfIIs7OU/nT/U
ipXjvsU3wIo53EUoHYLM3Vmurcy/0S3krwAydtLiEBR+kKPIOyLnyJCgUYjys0xu
/f0DB3x6OFvJA03BlCDIk7mOEmJnc4paAdckaW8o79D/SyEVx8jqm1BVhbCU7299
kp9ImEze9CsKN5O97OenPe68P59PILlGN9215sU3zBNI62aCYtqa4ZHcErT+A6e9
CPYOHB6t5esUla32lF8av+4Ye7kA6AC4Z4+EF7HuwdEu+rMTMsPXLrMWhFkoU8+P
82/jd+Mr7aj8Y1r7uqAPFORDpz/WdedkaoWqg/UqO1TItcLGNt6VwAKy0uPufHRz
iS2ipRt+RU8IAO2pM+I9Kl+SunStKfquLpticH9AN8B9sqs+CGEBXVfX6NihLgnz
MwbW3/vr/cxXFLFbrtnjRo/ufsf7/IcSW5Vrwvh1LgYCeZJFT7sy0leAG9pb9Wd5
qDXY5adk8ox9ruQfGHPgBqnowaHH3cCB4tEUKpqwz/e18EoHzZVxKGBSB0ZDo09g
Be+gijd/UK27aSfY5BlylJeiauJcMzdRns8TdqypPjaL7aPtKkFF/VyhssfwMhqn
r5d96fGw90Ftglsbes5V5gV2GBL3hrMEJQDXDdBYB22l4zYpJ4cIJpHRzQN3oVJo
AKzuSxhcHXiZO+Lz5Jv9NUWISmcCyAOi2ko=
=zGF7
-----END PGP PUBLIC KEY BLOCK-----

Title: Re: Vendors: plz use strong PGP keys so I can give you my moneyz...!
Post by: SelfSovereignty on December 16, 2012, 01:51 am
Well, Boyd, here's the full data of your key:

Code: [Select]
pub:-:2048:1:23281D00A10A5CED:1354603173:1480833573::-:::escaESCA:
fpr:::::::::D164979A8381ACDDF1F9355623281D00A10A5CED:
uid:-::::1354603173::129108E4C0577415F2EA4EED55D1FA9B8596591A::BoydC <boyd@sr>:
sub:-:2048:1:5A60689842D1EBDA:1354603173:1480833573:::::esa:

Here's the brief, usual output:
Code: [Select]
pub   2048R/A10A5CED 2012-12-04 [expires: 2016-12-04]
uid                  BoydC <boyd@sr>
sub   2048R/42D1EBDA 2012-12-04 [expires: 2016-12-04]

Yeah, it's fine.  2048-bit RSA primary w/ a 2048-bit RSA subkey.  Both the primary and subkey can be used for encryption... which I've never seen, but I'm not a PGP expert or anything.  Interesting.
Title: Re: Vendors: plz use strong PGP keys so I can give you my moneyz...!
Post by: Ballzinator on December 16, 2012, 01:52 am
I'm hopeless with pgp. Any chance one of you guys can check out my key and let me know how safe it is?

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQENBFC9mqUBCADwsInvWZmOT4eKxKiWSz8VPtROXvgkU5ZtEX+H87myDRI7NK/u
fQJwTILQx2Acsk9tDQNeA4xbsDdmsNhxfjgt0EFxwaVV86adqQ71nRh8zc6A8NyD
fLbgQMIvmlZwc35C8e15+8qFe2IXgb7k9kjMb/9/GNuc0ZGx6NReIjTLsUpwaRju
mGf4758Ea8WW2fBCK4khfJmTK6rsRDiV+KjxGdMwNntKlBAqZQrRxT+EZHEw9ltO
zj6nY9mVtvw6A7FgaSdPraXNuZd671QitKYR52PvtR4XJKwh7IaIBc12xeYUmBOH
/9J2oI90FqaYMfpKRD+tZWP0D6q7h16BsBLNABEBAAG0D0JveWRDIDxib3lkQHNy
PokBPwQTAQIAKQUCUL2apQIbLwUJB4YfgAcLCQgHAwIBBhUIAgkKCwQWAgMBAh4B
AheAAAoJECMoHQChClztcQcH/1fCWuKmVk1dHEu2H70OhKmWdPURdmCy15gMqM4M
y0CdwlBtcFV6ZRWks7zQMdRCc9TL4TA3TxrfG1J/df8Ll+2Lmq5a5AZLbFQi/aIw
4KwDTSGVgsAlDAx720c9e58VUHTQofGJoEJrDpQ3NXj91JoFAUC80REvyFA2APxy
YDGfFZYkQdJmKqedm8U/OIusPijLLZ6m0fd7rK8LNkztDwOlDjodQ3bT5PHAsqOK
+0UJg1vV6cYJvsfhKC9DcqZQWuLCKvmMUXLFHeV+FmlwYZGYpQXB+zUxQy4J4hD9
5AvlHuxR8Zfos8dknUGmXJpNVpZYDaMRNKPAnLLt4Xf69x25AQ0EUL2apQEIAK46
7nN7w+rF2YNrYgnx2OxTzSozNgXNc5AR5SgFCHS0758dIrnI9ZXEovyCqLLVNcx0
ldmDESdCKdTurSFQOD04oQaaAGK3pYcvivJAJOAeCZ5wUDi7TJ2TMTtv8bW0RdX6
ALcXAjg/ecy990cabbyN+fd3CZ7az07ZNLGK4eByTMAGU+FvxWhE/7sCWuUXpATl
oqv7SJm/E0tBKbNpgWB58r4F61i2QxFnSkCfwO1tG3hMMINxy6qFesf21/Hi2TeV
7HcVGksp0b1ARnLd+DwSL7eyHrRM8ONEh9c7WNaRKr9dH9g5rb9AVRCUYfmNLvpL
3GxLZg2rbDoaJQf0unMAEQEAAYkCRAQYAQIADwUCUL2apQIbLgUJB4YfgAEpCRAj
KB0AoQpc7cBdIAQZAQIABgUCUL2apQAKCRBaYGiYQtHr2vYPB/sHfIIs7OU/nT/U
ipXjvsU3wIo53EUoHYLM3Vmurcy/0S3krwAydtLiEBR+kKPIOyLnyJCgUYjys0xu
/f0DB3x6OFvJA03BlCDIk7mOEmJnc4paAdckaW8o79D/SyEVx8jqm1BVhbCU7299
kp9ImEze9CsKN5O97OenPe68P59PILlGN9215sU3zBNI62aCYtqa4ZHcErT+A6e9
CPYOHB6t5esUla32lF8av+4Ye7kA6AC4Z4+EF7HuwdEu+rMTMsPXLrMWhFkoU8+P
82/jd+Mr7aj8Y1r7uqAPFORDpz/WdedkaoWqg/UqO1TItcLGNt6VwAKy0uPufHRz
iS2ipRt+RU8IAO2pM+I9Kl+SunStKfquLpticH9AN8B9sqs+CGEBXVfX6NihLgnz
MwbW3/vr/cxXFLFbrtnjRo/ufsf7/IcSW5Vrwvh1LgYCeZJFT7sy0leAG9pb9Wd5
qDXY5adk8ox9ruQfGHPgBqnowaHH3cCB4tEUKpqwz/e18EoHzZVxKGBSB0ZDo09g
Be+gijd/UK27aSfY5BlylJeiauJcMzdRns8TdqypPjaL7aPtKkFF/VyhssfwMhqn
r5d96fGw90Ftglsbes5V5gV2GBL3hrMEJQDXDdBYB22l4zYpJ4cIJpHRzQN3oVJo
AKzuSxhcHXiZO+Lz5Jv9NUWISmcCyAOi2ko=
=zGF7
-----END PGP PUBLIC KEY BLOCK-----
2048 bits.
Title: Re: Vendors: plz use strong PGP keys so I can give you my moneyz...!
Post by: SelfSovereignty on December 16, 2012, 01:53 am
... wait. What did you use to gen this?  It's... weird.  I mean I think it's fine, but... it's quirky?
Title: Re: Vendors: plz use strong PGP keys so I can give you my moneyz...!
Post by: Ballzinator on December 16, 2012, 01:55 am
... wait. What did you use to gen this?  It's... weird.  I mean I think it's fine, but... it's quirky?
What do you mean? It seems fine to me.
Title: Re: Vendors: plz use strong PGP keys so I can give you my moneyz...!
Post by: SelfSovereignty on December 16, 2012, 02:00 am
There's always a comment line about the version & program used to generate the key.  This is actually more than just advertising: if a version is found to have a problem with one of it's algorithms, that has to be known so a later version can say "this key was generated with a known flawed version and may be unsafe," or something.

This key has no comment.

Both the primary and subkeys can be used for encryption.  I've never seen that.  GPG is fine with it, but... I've just never seen it -- together, I call it "quirky."
Title: Re: Vendors: plz use strong PGP keys so I can give you my moneyz...!
Post by: Ballzinator on December 16, 2012, 02:22 am
There's always a comment line about the version & program used to generate the key.  This is actually more than just advertising: if a version is found to have a problem with one of it's algorithms, that has to be known so a later version can say "this key was generated with a known flawed version and may be unsafe," or something.

This key has no comment.

Both the primary and subkeys can be used for encryption.  I've never seen that.  GPG is fine with it, but... I've just never seen it -- together, I call it "quirky."
Okay, I see how the comment is important but I don't even know what a subkey is ;D
Title: Re: Vendors: plz use strong PGP keys so I can give you my moneyz...!
Post by: SelfSovereignty on December 16, 2012, 02:25 am
Well, you can hve... I think actually unlimited subkeys?  not really sure.  At least several.  Can even attach a fucking photo to your key if you really want :P  gpg is a pretty spiffy program.

Usually you have one primary key, and one subkey key -- not all keys can be used for both encryption and signing (to verify you're the one who wrote something).  So usually you have one for signing, and one for encryption.  Usually.  Like I said, gpg is fine with this key, it gave no errors or anything... but it's quirky is all :)


DSA keys cannot encrypt.  They can only sign.  I think RSA can do either... but don't quote me on it.  And I'm not sure if they can do both at hte same time, or if you have to pick which one you want a certain key to be for.  These are all heavy math details, and I'll be honest and say I've studied this stuff because I'm a fucking geek to the Nth degree... but I only read it for pleasure, not worried about actually proving the algorithms or some shit.

In short, I can't remember the details, heh.
Title: Re: Vendors: plz use strong PGP keys so I can give you my moneyz...!
Post by: SelfSovereignty on December 16, 2012, 02:29 am
P.S. -- I deleted your key from my keyring.  Don't bother trying to profile me by finding the guy who actually has that key, lol.

(joking, just being facetious about paranoia)
Title: Re: Vendors: plz use strong PGP keys so I can give you my moneyz...!
Post by: Ballzinator on December 16, 2012, 02:33 am
He probably just edited out the line to hide which kind of system he's operating on, not knowing how important the line is.
Title: Re: Vendors: plz use strong PGP keys so I can give you my moneyz...!
Post by: astor on December 16, 2012, 02:48 am
There's always a comment line about the version & program used to generate the key.  This is actually more than just advertising: if a version is found to have a problem with one of it's algorithms, that has to be known so a later version can say "this key was generated with a known flawed version and may be unsafe," or something.

The comment can be removed with --no-emit-version or manually. It's not a necessary part of the PGP spec. However, if you use an obscure PGP program, putting that in the comment can greatly reduce your anonymity set.
Title: Re: Vendors: plz use strong PGP keys so I can give you my moneyz...!
Post by: SelfSovereignty on December 16, 2012, 02:59 am
Hmm... true, true.  I suppose it depends on whether your primary concern is anonymity, or secrecy.
Title: Re: Vendors: plz use strong PGP keys so I can give you my moneyz...!
Post by: Boyd Crowder on December 16, 2012, 09:41 am
... wait. What did you use to gen this?  It's... weird.  I mean I think it's fine, but... it's quirky?

I have not attempted to remove the comment line, would not know how to. I used gpgtools for mac, with a little help from Guru who will be missed. One problem I have is that since generating the key I have not once been asked for a password, even after rebooting. I told guru about it and he said his gf's mac was the same but didn't know why, I would prefer if it did ask for my password. Thanks for the info guys.
Title: Re: Vendors: plz use strong PGP keys so I can give you my moneyz...!
Post by: SelfSovereignty on December 16, 2012, 06:18 pm
... wait. What did you use to gen this?  It's... weird.  I mean I think it's fine, but... it's quirky?

I have not attempted to remove the comment line, would not know how to. I used gpgtools for mac, with a little help from Guru who will be missed. One problem I have is that since generating the key I have not once been asked for a password, even after rebooting. I told guru about it and he said his gf's mac was the same but didn't know why, I would prefer if it did ask for my password. Thanks for the info guys.

That would mean that there is no passphrase, my friend.  You can do that with gpg in Linux, too, but I think it warns you about it.

This means that anyone who gets your private key can impersonate you with ease.

Edit: to be clear, this means that they can decrypt any messages that were sent to you without any passwords ever being involved.  That private key is the *only* thing needed to do everything that you do.
Title: Re: Vendors: plz use strong PGP keys so I can give you my moneyz...!
Post by: Nightcrawler on December 18, 2012, 09:13 am
... wait. What did you use to gen this?  It's... weird.  I mean I think it's fine, but... it's quirky?

I have not attempted to remove the comment line, would not know how to. I used gpgtools for mac, with a little help from Guru who will be missed. One problem I have is that since generating the key I have not once been asked for a password, even after rebooting. I told guru about it and he said his gf's mac was the same but didn't know why, I would prefer if it did ask for my password. Thanks for the info guys.

That would mean that there is no passphrase, my friend.  You can do that with gpg in Linux, too, but I think it warns you about it.

This means that anyone who gets your private key can impersonate you with ease.

Edit: to be clear, this means that they can decrypt any messages that were sent to you without any passwords ever being involved.  That private key is the *only* thing needed to do everything that you do.

Incorrect. By default, GPGTools appears to store the users' passphrase in the Apple Keychain. As such, the user is not prompted for the passphrase, and messages are automatically decrypted.  I don't think this is a particularly good idea.

However, there is a fairly simple fix for this, as follows:

1) click on the little black apple in the toolbar at the top of your screen; the black apple is the leftmost item.

2) When the menu opens up, click on System Preferences

3) When the System Preferences pane opens up, click on GPGPreferences

4) When GPGPreferences opens up, you will be on the Configure tab. Under that you will see a check-box labelled "Use Keychain to store passphases by default" -- put a check in that box.  There will be a little  box where you will see the number 600 -- this represents the number of seconds that the passphrase is cached (or stored) for.  If you replace the number 600 with the number 0, the passphrase will be stored in the Keychain for zero seconds (essentially not at all), and the user will be prompted for the passphrase each and every time they go to decrypt a message.

NC
Title: Re: Vendors: plz use strong PGP keys so I can give you my moneyz...!
Post by: SelfSovereignty on December 18, 2012, 06:51 pm
... wait. What did you use to gen this?  It's... weird.  I mean I think it's fine, but... it's quirky?

I have not attempted to remove the comment line, would not know how to. I used gpgtools for mac, with a little help from Guru who will be missed. One problem I have is that since generating the key I have not once been asked for a password, even after rebooting. I told guru about it and he said his gf's mac was the same but didn't know why, I would prefer if it did ask for my password. Thanks for the info guys.

That would mean that there is no passphrase, my friend.  You can do that with gpg in Linux, too, but I think it warns you about it.

This means that anyone who gets your private key can impersonate you with ease.

Edit: to be clear, this means that they can decrypt any messages that were sent to you without any passwords ever being involved.  That private key is the *only* thing needed to do everything that you do.

Incorrect. By default, GPGTools appears to store the users' passphrase in the Apple Keychain. As such, the user is not prompted for the passphrase, and messages are automatically decrypted.  I don't think this is a particularly good idea.

However, there is a fairly simple fix for this, as follows:

1) click on the little black apple in the toolbar at the top of your screen; the black apple is the leftmost item.

2) When the menu opens up, click on System Preferences

3) When the System Preferences pane opens up, click on GPGPreferences

4) When GPGPreferences opens up, you will be on the Configure tab. Under that you will see a check-box labelled "Use Keychain to store passphases by default" -- put a check in that box.  There will be a little  box where you will see the number 600 -- this represents the number of seconds that the passphrase is cached (or stored) for.  If you replace the number 600 with the number 0, the passphrase will be stored in the Keychain for zero seconds (essentially not at all), and the user will be prompted for the passphrase each and every time they go to decrypt a message.

NC

Hrm; I just assumed that if that's what was going on, it would at least time out in 5-10 minutes... obviously I was mistaken.  Thanks for the correction, Nightcrawler.
Title: Re: Vendors: plz use strong PGP keys so I can give you my moneyz...!
Post by: Nightcrawler on December 18, 2012, 11:19 pm
... wait. What did you use to gen this?  It's... weird.  I mean I think it's fine, but... it's quirky?

I have not attempted to remove the comment line, would not know how to. I used gpgtools for mac, with a little help from Guru who will be missed. One problem I have is that since generating the key I have not once been asked for a password, even after rebooting. I told guru about it and he said his gf's mac was the same but didn't know why, I would prefer if it did ask for my password. Thanks for the info guys.

That would mean that there is no passphrase, my friend.  You can do that with gpg in Linux, too, but I think it warns you about it.

This means that anyone who gets your private key can impersonate you with ease.

Edit: to be clear, this means that they can decrypt any messages that were sent to you without any passwords ever being involved.  That private key is the *only* thing needed to do everything that you do.

Incorrect. By default, GPGTools appears to store the users' passphrase in the Apple Keychain. As such, the user is not prompted for the passphrase, and messages are automatically decrypted.  I don't think this is a particularly good idea.

However, there is a fairly simple fix for this, as follows:

1) click on the little black apple in the toolbar at the top of your screen; the black apple is the leftmost item.

2) When the menu opens up, click on System Preferences

3) When the System Preferences pane opens up, click on GPGPreferences

4) When GPGPreferences opens up, you will be on the Configure tab. Under that you will see a check-box labelled "Use Keychain to store passphases by default" -- put a check in that box.  There will be a little  box where you will see the number 600 -- this represents the number of seconds that the passphrase is cached (or stored) for.  If you replace the number 600 with the number 0, the passphrase will be stored in the Keychain for zero seconds (essentially not at all), and the user will be prompted for the passphrase each and every time they go to decrypt a message.

NC

Hrm; I just assumed that if that's what was going on, it would at least time out in 5-10 minutes... obviously I was mistaken.  Thanks for the correction, Nightcrawler.

It should have timed out in 10 minutes, but did not, for whatever reason, thus the need for the fix.

NC
Title: Re: Vendors: plz use strong PGP keys so I can give you my moneyz...!
Post by: Vlad Tepes on December 19, 2012, 12:06 pm
This thread actually compelled me to make a stronger key-pair. I had 2048-bit keys to begin with, but what's the harm in using 3072 anyway?
Title: Re: Vendors: plz use strong PGP keys so I can give you my moneyz...!
Post by: Ballzinator on December 19, 2012, 01:21 pm
This thread actually compelled me to make a stronger key-pair. I had 2048-bit keys to begin with, but what's the harm in using 3072 anyway?
+1