TOFU: interacting with the user
aheinecke at intevation.de
Wed Oct 21 15:54:25 CEST 2015
On Wednesday 21 October 2015 15:35:33 Neal H. Walfield wrote:
> At Tue, 20 Oct 2015 19:46:23 +0200,
> Andre Heinecke wrote:
> > I've not yet tested what happens in case of conflicts where the command
> > line would ask questions. Maybe bring up a pinentry prompt for that?
> This requires GpgME support.
> There are a couple of arguments against using pinentry for this.
> I think we should only use pinentry for requesting sensitive
Isn't "Is this key good or bad?" a sensitive decision? Like trusting a CA. It
directly influences the outcome of verification results.
> Moreover, only gpg agent should use pinentry. This way,
> the user learns that only gpg-agent uses this interface. Currently,
> it is not possible to enforce this behavior. But if we ever get good
> mechanisms for implementing the principle of least authority (like
> Genode), we should make sure that we are still in a position to take
> advantage of them.
I don't see why this couldn't be handled by the agent too?
gpg -> agent -> pinentry
> Second, pinentry doesn't currently support TOFU's queries! When a
> conflict is detected, GnuPG asks the user to assign a policy to the
> key. There are five choices (good, accept once, unknown, reject one,
> bad). Currently, pinentry only supports up to three buttons. A hack
> would be to only offer three choices: good, unknown and bad. This
> works because the other two are just ways to defer the decision and
> not really policies.
Right. But we can easily and quickly modify pinentry to present those queries
nicely in a new version. Doing this in every GUI Software that uses gnupg and
adding support to gpgme would be way more effort and I expect that it will take
much longer until tofu is widely supported if we wait for that.
Andre Heinecke | ++49-541-335083-262 | http://www.intevation.de/
Intevation GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 18998
Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 181 bytes
Desc: This is a digitally signed message part.
More information about the Gnupg-devel