marcus.brinkmann at ruhr-uni-bochum.de
Thu May 19 02:05:11 CEST 2011
On 05/19/2011 01:57 AM, Marcus Brinkmann wrote:
> On 05/18/2011 06:19 PM, Werner Koch wrote:
>> On Tue, 17 May 2011 22:54, john.wyzer at gmx.de said:
>> A call trace is not what I ciew as usefull. However a title bar with
>> the name of the program responsible for popping up the pinentry may be
>> useful and won't harm. It is merely a convenience thing and in no way a
>> security featre. I'd like to have something like this.
> The problem is that you can not declare it not to be a security feature by
> fiat. Users will perceive it as a security feature or not depending on the
> whole context and their expectations. If they do rely on a bit, we are in a
> bit of a mess here, quite frankly.
> Of course, this problem is not specific to gnupg/pinentry. It is a security
> and usability issue that permeates the whole user session.
The consequence I forgot to add is that you can add such a string or not, it
doesnt matter. Whatever mechanism would be chosen could be subverted by a
malicious user due to the lack of security boundaries in the users session.
The below is meant to address the more general security problem that an
identifier could be perceived to solve (even if not intended to).
> Because these problems are so severe and known for a long time, we have to be
> pessimistic about the ability to find simple solutions on the desktop (the
> story is different on recent mobile devices). I think the best that can be
> achieved in a simple manner is to make sure that a cached passphrase is not
> used in quick succession many times without the user being able to notice this
> activity. If there is a malicious program, it may be able to trick the user
> into signing a message or two under false pretenses, but it should not be able
> to sign hundreds or thousands without raising suspicion.
> Gnupg-devel mailing list
> Gnupg-devel at gnupg.org
More information about the Gnupg-devel