gpg-agent and allow-loopback-pinentry
Patrick Brunschwig
patrick at enigmail.net
Fri Jan 2 15:13:31 CET 2015
On 02.01.15 14:18, Werner Koch wrote:
> On Tue, 30 Dec 2014 23:33, dkg at fifthhorseman.net said:
>
>> to be honest, when i've watched users set up enigmail with GnuPG for the
>> first time, they're often confused by the fact of a password for the key
>> in the first place.
>
> Right, I bet that 80% of all users do not fully understand for what the
> passphrase is used. It is even questionable whether a passphrase
> protected key is useful for a non-mobile computer given that attacker
> able to grab a protected key will in most cases also be able to
> install a keylogger.
>
>> And an OpenPGP key by default is not the same thing as a web service,
>> either.
>
> Right - Documentation should stree that point.
>
>> What about generating the key with no passphrase initially, and
>> presenting a big "protect this key with a passphrase" button to the user
>> when no passphrase is set?
>
> Given the above scenario I actually kind of like that.
>
>> * passphraseless keys will be written to the filesystem and might not
>> ever be erased.
>>
>> * some users will never click the "protect this key with a passphrase"
>> button.
>
> As an alternative we could keep the key in memory (gpg-agent is running
> in the background) and only write it to the disk once a change
> passphrase has been done. We would also not allow to send the key to a
> keyserver before it has not been passphrase protected.
>
> Instead of "please protect your key now" we could use a "you now need to
> test your key" and in course of that setup a passphrase. Creating a
> signed message and decrypt an automagically created message would also
> help to remember the passphrase.
>
>> * it's not clear to me whether there's an easy way for enigmail to tell
>> whether the secret key in question has a passphrase set on it or not
>
> gpg-agent has this command:
>
> > help keyinfo
> # KEYINFO [--[ssh-]list] [--data] [--ssh-fpr] [--with-ssh] <keygrip>
>
> # KEYINFO <keygrip> <type> <serialno> <idstr> <cached> <protection> <fpr>
>
> # PROTECTION describes the key protection type:
> # 'P' - The key is protected with a passphrase,
> # 'C' - The key is not protected,
> # '-' - Unknown protection.
>
> Enigmail can use it via gpg-connect-agent to check for a key or we can
> add a wrapper command to gpg. If a keep-in-memory-until-passwd approach
> would be implemented this command can also be used to return relevant
> info.
>
>> I don't know if there are any usability studies that would help make
>> this decision easier.
>
> Anyone who has time to research this?
We recently had a usability study on Enigmail done by a German
University (I'm not sure if I'm allowed to publish the name, so I
don't). Enigmail has a setup wizard (which generates a key if needed),
and recommendation was to design the key creation dialog as follows:
----------------------------------------
*Key Creation*
Your _public key_ is used by others to send you encrypted messages. You
can be distribute it to anyone."
Your _private key_ is required for you to decrypt received mails and to
send signed mails. You should not give it to anyone. To secure your
private key, please enter a passphrase below.
*Important:* your passphrase is not your private key.
Passphrase : [ ]
Confirm passphrase: [ ]
Password Quality: [color bar]
----------------------------------------
I am right now modifying our wizard to look and work exactly this way.
-Patrick
More information about the Gnupg-devel
mailing list