simplifying the use of --throw-keyid option

David Shaw
Thu Apr 3 07:14:01 2003

Hash: SHA1

On Wed, Apr 02, 2003 at 08:17:41PM -0500, Todd wrote:
> David Shaw wrote:
> > On Wed, Apr 02, 2003 at 03:39:35AM +0200, Malte Gell wrote:
> >
> >> if one gets a message encrypted with the --throw-keyid option the 
> >> receiver's GnuPG has to try all available secret keys and this can be a 
> >> bit annoying if one has several secret keys.
> >> So, wouldn't it be a nice idea to have a new option "--encrypted-with" 
> >> to simplify this ?
> >
> > The development branch has better handling of such messages.  Instead
> > of prompting for each secret key, it prompts for a single passphrase
> > and tries it against all keys.  This will be in 1.4.
> Pardon me for asking a question when I know very little about the subject,
> but why not display the key for which gpg is asking for a passphrase?  I'm
> thinking of what ssh does, using key based authentication, it will prompt
> you something like:
>     Enter passphrase for key '/home/user/.ssh/id_rsa':
> Could that be done for gpg when it's trying your various secret keys?
> Obviously, it would use either the keyid or some other identifier in place
> of the file path as ssh uses.

That is what GnuPG currently does.  The problem with this method is
that when decrypting a message with a thrown (hidden) keyid, the user
must type the passphrase for every single key.  For users with more
then one secret key, this is annoying.  The new system asks for a
passphrase once, and then tries each secret key with that passphrase.

Version: GnuPG v1.2.2rc1 (GNU/Linux)