gpg-agent and allow-loopback-pinentry

Werner Koch wk at gnupg.org
Fri Jan 2 14:18:17 CET 2015 

On Tue, 30 Dec 2014 23:33, dkg at fifthhorseman.net said:

> to be honest, when i've watched users set up enigmail with GnuPG for the
> first time, they're often confused by the fact of a password for the key
> in the first place.

Right, I bet that 80% of all users do not fully understand for what the
passphrase is used.  It is even questionable whether a passphrase
protected key is useful for a non-mobile computer given that attacker
able to grab a protected key will in most cases also be able to
install a keylogger.

> And an OpenPGP key by default is not the same thing as a web service,
> either.

Right - Documentation should stree that point.

> What about generating the key with no passphrase initially, and
> presenting a big "protect this key with a passphrase" button to the user
> when no passphrase is set?

Given the above scenario I actually kind of like that.

>  * passphraseless keys will be written to the filesystem and might not
> ever be erased.
>
>  * some users will never click the "protect this key with a passphrase"
> button.

As an alternative we could keep the key in memory (gpg-agent is running
in the background) and only write it to the disk once a change
passphrase has been done.  We would also not allow to send the key to a
keyserver before it has not been passphrase protected.

Instead of "please protect your key now" we could use a "you now need to
test your key" and in course of that setup a passphrase.  Creating a
signed message and decrypt an automagically created message would also
help to remember the passphrase.

>  * it's not clear to me whether there's an easy way for enigmail to tell
> whether the secret key in question has a passphrase set on it or not

gpg-agent has this command:

  > help keyinfo
  # KEYINFO [--[ssh-]list] [--data] [--ssh-fpr] [--with-ssh] <keygrip>

  #   KEYINFO <keygrip> <type> <serialno> <idstr> <cached> <protection> <fpr>

  # PROTECTION describes the key protection type:
  #     'P' - The key is protected with a passphrase,
  #     'C' - The key is not protected,
  #     '-' - Unknown protection.

Enigmail can use it via gpg-connect-agent to check for a key or we can
add a wrapper command to gpg.  If a keep-in-memory-until-passwd approach
would be implemented this command can also be used to return relevant
info.

> I don't know if there are any usability studies that would help make
> this decision easier.

Anyone who has time to research this?


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gnupg-devel mailing list