[PATCH GnuPG] agent: Enable restricted, browser, and ssh socket by default.

Werner Koch wk at gnupg.org
Thu Sep 15 17:22:02 CEST 2016


On Thu, 15 Sep 2016 14:58, justus at g10code.com said:

> This change enables the restricted, browser, and ssh socket by
> default.  Note that in all cases, the user has to do some additional
> configuration to her setup to make use of these features.  Therefore,

I am strongly against such defaults.  They are not required for any
standard GnuPG use.  In particular the ssh-agent feature should not be
enabled without user consent.

That would be a bit similar to the GKR problem we had for years.  Right,
you need to tell ssh about this other socket.  But at some point in the
future we may have achieved auto starting of gpg-agent by ssh and then
the default ssh configuration would use gpg-agent - which I would
consider hostile.  OpenSSH's agent and gpg-agent use a very different
architecture, despite that they speak the same protocol.  Those folks,
who know what ssh is and want to use it, are all able to click on
"enable-ssh-support" in some GnuPG GUI or add it to gpg-agent.conf.

The extra socket stuff is even more hackish and by default a software
shall limit itself to listen for connections on the standard port and
not on some esoteric stuff.  Iff there will eventually be a browser or
browser extension in wide use which requires --browser-socket (and
probably other stuff) we can re-consider the defaults.

Note that there is a feature in the queue to set a configuration options
From a recipe file.  This will be used to configure GnuPG according to
certain policy guidelines.  A hacker's choice profile can of course then
be distributed along with GnuPG.



Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 162 bytes
Desc: not available
URL: </pipermail/attachments/20160915/9ae2f015/attachment.sig>


More information about the Gnupg-devel mailing list