NYCPHP Meetup

[nycphp-talk] cookbook: gpg

David Mintz dmintz at panix.com
Tue Aug 12 17:29:24 EDT 2003


On Mon, 11 Aug 2003, David Sklar wrote:

>
> To encrypt only, yes, you just need the public key of the recipient. To
> encrypt and sign, you need the private key of the signer as well.
>
> So if you're just encrypting the credit card data with a public key and
> storing it in a place where the corresponding private key isn't, then you
> should be protected against someone retrieving the encrypted data and then
> decrypting it.
>
> You aren't protected against someone injecting false data that's correctly
> encrypted into the system (via a hole in your app). This may not be such a
> big concern.

Thanks.

I'd love to see a snippet showing how user nobody encrypts data without
signing or requiring any secret key. That seems to be where I'm stuck. GPG
needs access to the public keyring containing the recipients public key,
right? If that's under my home directory then I have to open up the
permissions on it so 'nobody' can get in there, no?

---
David Mintz
http://davidmintz.org/
Email: See http://dmintzweb.com/whitelist.php first!



More information about the talk mailing list