marcus.brinkmann at ruhr-uni-bochum.de
Thu May 19 01:57:34 CEST 2011
On 05/18/2011 06:19 PM, Werner Koch wrote:
> On Tue, 17 May 2011 22:54, john.wyzer at gmx.de said:
> A call trace is not what I ciew as usefull. However a title bar with
> the name of the program responsible for popping up the pinentry may be
> useful and won't harm. It is merely a convenience thing and in no way a
> security featre. I'd like to have something like this.
The problem is that you can not declare it not to be a security feature by
fiat. Users will perceive it as a security feature or not depending on the
whole context and their expectations. If they do rely on a bit, we are in a
bit of a mess here, quite frankly.
Of course, this problem is not specific to gnupg/pinentry. It is a security
and usability issue that permeates the whole user session.
Because these problems are so severe and known for a long time, we have to be
pessimistic about the ability to find simple solutions on the desktop (the
story is different on recent mobile devices). I think the best that can be
achieved in a simple manner is to make sure that a cached passphrase is not
used in quick succession many times without the user being able to notice this
activity. If there is a malicious program, it may be able to trick the user
into signing a message or two under false pretenses, but it should not be able
to sign hundreds or thousands without raising suspicion.
More information about the Gnupg-devel