Integrate pinentry-mac into pinentry
Roman Zechmeister
Mento at gpgtools.org
Tue Feb 24 12:37:24 CET 2015
Hello Werner!
> This violates the security barrier of gpg-agent. Any application could
> trick a user into doing things he does not want. For keys controlled by
> gpg-agent the shown key identification should come from gpg-agent
> without any user overridable string.
>
> It is a different thing to allow additional information to be displayed.
> If there is a need for it it can be added but it should be specified in
> the gpg-agent/pinentry protocol.
My idea is not to allow to override the shown Fingerprint/KeyID.
The idea is to allow a more intuitive and informative message.
Normally the message comes from gpg and not from gpg-agent.
The message could also come from any other software using gpg-agent directly.
Also have a look at my last mail on the devel list (22 Feb, 17:55).
Btw. the same attack could be used on pinentry, to show a fake message.
Regards, Mento
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: </pipermail/attachments/20150224/615da103/attachment.sig>
More information about the Gnupg-devel
mailing list