TOFU: interacting with the user

Andre Heinecke aheinecke at
Wed Oct 21 15:54:25 CEST 2015


On Wednesday 21 October 2015 15:35:33 Neal H. Walfield wrote:
> At Tue, 20 Oct 2015 19:46:23 +0200,
> Andre Heinecke wrote:
> > I've not yet tested what happens in case of conflicts where the command
> > line would ask questions. Maybe bring up a pinentry prompt for that?
> This requires GpgME support.
> There are a couple of arguments against using pinentry for this.
> I think we should only use pinentry for requesting sensitive
> information. 

Isn't "Is this key good or bad?" a sensitive decision? Like trusting a CA. It 
directly influences the outcome of verification results.

> Moreover, only gpg agent should use pinentry.  This way,
> the user learns that only gpg-agent uses this interface.  Currently,
> it is not possible to enforce this behavior.  But if we ever get good
> mechanisms for implementing the principle of least authority (like
> Genode), we should make sure that we are still in a position to take
> advantage of them.

I don't see why this couldn't be handled by the agent too?
gpg -> agent -> pinentry

> Second, pinentry doesn't currently support TOFU's queries!  When a
> conflict is detected, GnuPG asks the user to assign a policy to the
> key.  There are five choices (good, accept once, unknown, reject one,
> bad).  Currently, pinentry only supports up to three buttons.  A hack
> would be to only offer three choices: good, unknown and bad.  This
> works because the other two are just ways to defer the decision and
> not really policies.

Right. But we can easily and quickly modify pinentry to present those queries 
nicely in a new version. Doing this in every GUI Software that uses gnupg and 
adding support to gpgme would be way more effort and I expect that it will take 
much longer until tofu is widely supported if we wait for that.


Andre Heinecke |  ++49-541-335083-262  |
Intevation GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 18998
Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20151021/ed815694/attachment.sig>

More information about the Gnupg-devel mailing list