Confirmation for cached passphrases useful?

Werner Koch wk at gnupg.org
Fri Oct 15 12:28:33 CEST 2010


On Wed, 13 Oct 2010 17:51, dkg at fifthhorseman.net said:

> If i run the agent locally, and forward access to it to a constrained
> account, then the constrained account (which is talking to the agent)
> *does not* have the ability to simulate such X11 events.

You mean to a different X server?  For example from a nested one to the
main X server?  Then why do you want to have this yes/no prompt, the
other X server has no access to the pinentry.

I doubt that it is possible to have a restricted account running on the
same X server.

> requires, say, an ACPI event, or a special keypress (not an X11 event)
> from a designated hardware button.  in that case, malicious code with
> access to the X11 session could detect that a prompt had been made, and

If there is malicious code running on your machine with access to
resources under your control, I can only say: game over.  No external
button will help you here.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.




More information about the Gnupg-users mailing list