Bug in GnuPG

Joe Vender jvender at owensboro.net
Wed Jan 11 15:37:41 CET 2006


When someone else encrypts to multiple anonymous recipients including
myself, my own hidden_recipient(session_key) could potentially be anywhere
from the beginning to the end of the list. So, unless the way GnuPG
recurses through the lists (see suggestion by Kurt Fitzner) is changed if
possible, or my passphrase is cached after the first entry and
automatically resubmitted until the decryption process either succeeds or
fails, I will still get multiple, possible very many, anonymous passphrase
prompts until my hidden_recipient(session_key) is encountered. Also, many
users will not be willing, or at least prefer not, to cache the passphrase
due to security concerns. There must be a better way of handling this. It
seems to me that changing the recursion scheme is the best approach. If
Kurt's approach is possible, it would also eliminate the need to make sure
my hidden recipient(session_key) is at the top of the list on messages
which I encrypt anonymously to others while including myself, since it
would first ask for my passphrase and then move through the
hidden_recipient(session_key) list until it encountered the one that
matched the right key to decrypt the message.

Joe





More information about the Gnupg-devel mailing list