The loopback pinentry

Werner Koch wk at
Thu Apr 21 13:07:57 CEST 2016

On Wed, 20 Apr 2016 18:33, dkg at said:

> It seems like it's pretty easy for advanced users like Mailpile to set
> allow-loopback-pinentry directly for their running gpg-agent (if they
> need to do so) so that's not a good argument for changing the defaults.

Right, we could also add it to gpgconf so that even GUIs can easily
change that.  I briefly chatted with Bjarni about this and his main
concern is that this is an extra step required and folks will forget
about this and use for example ad-hoc workarounds instead.

If we can make common unattended use cases easier by using other
defaults, I believe that will improve the overall security of systems.

I am not aware of a threat that option may counter - I introduced it (or
well suggested that to Ben Kibbey), to make sure the loopback mode won't
break anything.  That was easier than to think about possible
consequences.  Due to the introduction of the restricted modes
(--extra-socket) we have a working method for remote access and thus I
consider loopback mode safe for now.  

If we start to use a different (side-)account for gpg-agent we may need
to reconsider this.  However, we can and should disable loopback mode
then on a per-connection base.

> Is there a writeup of the expected threat model for gpg-agent?  if not,
> it would be worth writing down a few paragraphs to help clarify

No there is no writeup.  Yes, it should be eventually be written.



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gnupg-devel mailing list