How to prevent passphrase caching in 2.1
Carola Grunwald
caro at nymph.paranoici.org
Tue Nov 22 17:20:26 CET 2016
Peter Lebbing <peter at digitalbrains.com> wrote:
>On 21/11/16 15:20, Carola Grunwald wrote:
>> As for each single decryption task only a defined passphrase is
>> allowed to be used it's essential to have caching, which implicates
>> the risk of unauthorized passphrase usage, strictly deactivated.
>
>Why do you lump these users together? At a first glance it seems more
>logical that they have separate system accounts, or at the least
>separate GnuPG homedirs (and hence agents).
They don't have any system account at all. These are users of a
messaging system, only allowed to access its POP3, SMTP and NNTP
service.
>
>They shouldn't even have access to the encrypted private key in the
>first place.
They don't have direct access to any key. Nevertheless by using someone
else's cached passphrase with 2.1 and its all-embracing keyring they may
succeed in decoding data not meant for them.
Kind regards
Caro
More information about the Gnupg-users
mailing list