Thoughts on GnuPG and automation
Hans of Guardian
hans at guardianproject.info
Tue Mar 3 17:28:12 CET 2015
Yeah, mailpile has a very unusual architecture, so its no surprise it'll need some unusual tricks. Unusual tricks in software that aims to be secure generally make me nervous since it is important to keep code readable and understandable for both the core devs, but also contributors, auditors, etc.
On Mar 3, 2015, at 4:23 PM, Brian Minton wrote:
> It breaks mailpile because gpg-agent is not session aware. A user could
> be logged in locally, using mailpile, and a remote attacker could access
> the web interface of that locally running mailpile instance, which since
> it is talking to the same gpg-agent, would think the remote user is
> logged in (or more precisely, has the private key).
> I think that one solution would be to have mailpile use a per-session
> gpg home dir.
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
More information about the Gnupg-users