Confirmation for cached passphrases useful?

[Daniel Kahn Gillmor]

On 10/11/2010 09:25 PM, Hauke Laging wrote:
> I just had the idea that it might be a good countermeasure against malicious 
> software not to use a cached passphrase without any user interaction (and thus 
> without user notice). A good compromise would be to open a dialog which does 
> not ask for the passphrase but just for the confirmation that it's OK to use 
> the passphrase. The dialog could mention the process accessing gpg-agent.

I agree this would be useful, with a few notes:

 0) clients that have full access to the X session (or terminal, or
whatever mechanism is used for the prompting) can probably auto-accept
the prompt.  So malicious clients with this access wouldn't actually be
prevented from unauthorized access.  However, not all clients
necessarily have this level of access, so it can still be useful from
security perspective.

 1) gpg-agent might not be able to determine useful information about
requesting processes in some configurations, and on some operating systems.

 2) users should be able to specify which passphrases (or secret keys?)
they want to trigger a prompt for (some might not need or want a prompt).

 3) it would be nice for the prompting facility to be flexible enough to
support alternate prompt techniques (possibly differing from the
pinentry used to supply passphrases in the first place).  For example,
it would be nice if a prompt could only be accepted by some physical
response from the system (assuming the malicious client doesn't have
superuser access, in which case all bets are off anyway), even if the
alert for the prompt shows up via the windowing system or the console.

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 900 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20101011/edea7e2b/attachment.pgp>