Confirmation for cached passphrases useful?

Jameson Rollins jrollins at
Fri Oct 15 20:49:41 CEST 2010

On Fri, 15 Oct 2010 13:42:05 -0400, "Robert J. Hansen" <rjh at> wrote:
> On 10/15/10 1:31 PM, Doug Barton wrote:
> > The other problem with the confirmation proposal is that ... the
> > intersection between plausible attack vectors and vulnerabilities
> > that [this proposal] would actually fix seems [very] small.
> I seem to recall saying something similar to this a few days ago.  :)
> I'll go one step further: so far I haven't seen anyone present a
> plausible intersection.  I've seen some hypothetical intersections, but
> none that I think are plausible.

Without use confirmation in the agent, a malicious program running under
your account could access your secret key without you knowing it.  That
is clear and indisputable.  If there was no worry of this happening,
then there would also be no need to passphrase-protect your secret key.
Since everyone seems to agree that one should passphrase-protect your
secret key, then there are obviously plausible attack vectors here.

I am also strongly in favor of use confirmation in the agent, and I'm
having a hard time understanding the opposition to it.

FWIW, ssh-agent implements use confirmation, so they clearly thought
there were plausible attack vectors as well.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: not available
URL: </pipermail/attachments/20101015/21f27119/attachment.pgp>

More information about the Gnupg-users mailing list