Confirmation for cached passphrases useful?

Robert J. Hansen rjh at
Tue Oct 12 04:20:39 CEST 2010

On 10/11/2010 9:25 PM, Hauke Laging wrote:
> I just had the idea that it might be a good countermeasure against 
> malicious software not to use a cached passphrase without any user 
> interaction (and thus without user notice).

The most obvious way I see to circumvent this involves throwing a
trampoline on the UI library and bypassing this code entirely. It's a
two-hour hack, assuming you already have root access to the system.  It
might make users *feel* more secure, but it doesn't actually help
overall system security -- IMO, at least.  YMMV.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5598 bytes
Desc: S/MIME Cryptographic Signature
URL: </pipermail/attachments/20101011/2df9cabd/attachment.bin>

More information about the Gnupg-users mailing list