gpg-agent and memory locking
Tue Sep 9 20:28:03 2003
On Tuesday 09 September 2003 11:42, Werner Koch wrote:
> On Mon, 8 Sep 2003 21:49:41 -0400, Todd said:
> > I'm looking to find out if gpg-agent locks memory to prevent the
> > passphrase from getting swapped and if it does, should it also be
> > setuid root as gpg (on systems that require root access to lock
> > memory that is)?
> Yes it does. However the use of secure memory in gpg-agent needs to
> be audited; it is likley that there are places where the passphrase
> could pop up in memory.
> I have also some severe doubts whether pinentry-qt makes proper use
> of secure memory. pinentry-gtk should be better becuase it uses a
> widget especially written to protect the passphrase.
pinentry-q t is highly unstable because of the "secure memory hack". Did=20
you ever have a look at the code? It constantly runs out of memory for=20
many people (seems to depend on the widget style). It would have been=20
much better if you'd also written a special widget for pinentry-qt. The=20
current implementation definitely sucks.
Sorry, for the rant. But I'm not at all satisfied with some of the=20
things that came out of project Aegypten, e.g. pinentry-qt, the=20
certificate manager, the S/MIME certificate selection dialog in KMail.=20
I just hope that the BSI will demand improvements instead of putting=20
project Aegypten on the list of failed projects.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux)
-----END PGP SIGNATURE-----