Confirmation for cached passphrases useful?

Jameson Rollins jrollins at
Fri Oct 15 23:04:41 CEST 2010

On Fri, 15 Oct 2010 15:36:51 -0400, "Robert J. Hansen" <rjh at> wrote:
> On 10/15/10 2:49 PM, Jameson Rollins wrote:
> > Without use confirmation in the agent, a malicious program running under
> > your account could access your secret key without you knowing it.
> This can still happen with a confirmation prompt.  Confirmation cannot
> protect against malware running under your account.  If the agent pops
> up a dialog box, then all I have to do is intercept the dialog box and
> answer 'yes.'

Ok, then this protects against malicious programs that are not
intercepting the dialog box.  Just because a fix for one problem doesn't
solve all possible problems does not mean that it should be ignored.
Don't let the perfect be the enemy of the good.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: not available
URL: </pipermail/attachments/20101015/6d0672af/attachment.pgp>

More information about the Gnupg-users mailing list