SSH generic socket forwarding for gpg-agent
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Mon Feb 16 06:08:35 CET 2015
On Sat 2015-02-14 08:28:19 -0500, Werner Koch wrote:
> On Fri, 13 Feb 2015 23:23, dkg at fifthhorseman.net said:
>
>> Encouraging this kind of use seems risky. I certainly wouldn't want to
>> do it without being able to have gpg-agent prompt me on my local machine
>> for each use of the key. Its current silent operation once the
>
> Similar as with smartcards this feature protect against key
> compromise but not against misuse of the key.
>
>> Could gpg-agent have a setting (per-key? per-agent?) that would have it
>> use pinentry for prompting?
>
> Good idea. We can disable the cache in this case by default and allow
> it only by option - either for all keys or (with a bit more code) for a
> selected set of keys.
To clarify what i meant:
My suggestion is to do prompting, but not to require the full passphrase
for each use.
requiring full passphrase for each use often discourages the use of
strong passphrases, esp. if the key is used repeatedly.
I've recorded this suggestion here:
https://bugs.g10code.com/gnupg/issue1840
Thanks,
--dkg
More information about the Gnupg-users
mailing list