gpg-agent and allow-loopback-pinentry

Werner Koch wk at gnupg.org
Fri Jan 2 16:02:02 CET 2015


On Fri,  2 Jan 2015 15:13, patrick at enigmail.net said:

> and recommendation was to design the key creation dialog as follows:
>
> ----------------------------------------
> *Key Creation*
>
> Your _public key_ is used by others to send you encrypted messages. You
> can be distribute it to anyone."
>
> Your _private key_ is required for you to decrypt received mails and to
> send signed mails. You should not give it to anyone. To secure your
> private key, please enter a passphrase below.
>
> *Important:* your passphrase is not your private key.
>
> Passphrase        : [         ]
> Confirm passphrase: [         ]
>
> Password Quality:   [color bar]
> ----------------------------------------

I am not a UX expert but with my facebook-user-hat on I see a lot of
text which describes something but does not explain what the passphrase
is.  "is not your private key" - well, what is it then?

The prominent passphrase entry with quality bar and a bold "important"
flag creates the impression that the passphrase is really important for
security.

There is also no exercise to make sure the passphrase is remembered
after a few minutes.  Many people rely on the "forget password? - enter
email" recovery process known from almost all websites.  The idea with
the old Pinentry to enter the passphrase several times during creation
was actually to have such a minimal exercise - however, it failed.  The
user does not known why it was done this way and annoyed.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.




More information about the Gnupg-devel mailing list