How to prevent passphrase caching in 2.1

Carola Grunwald caro at
Wed Nov 23 03:28:36 CET 2016

Peter Lebbing <peter at> wrote:

>On 22/11/16 17:20, Carola Grunwald wrote:
>> They don't have any system account at all. These are users of a
>> messaging system, only allowed to access its POP3, SMTP and NNTP
>> service.
>Perhaps 1.4 is the best release for you... you'll miss out on Elliptic
>Curve, but other than that, it's still a supported release.

Sure, I like v1.4's small footprint and its reliability. But as the
--faked-system-time option, important in my application for privacy
reasons, wasn't backported to v1.4, I had to migrate to v2.1. I'm still
not very confident in EC cryptography's strength nor am I interested in
dealing with just another background service, which freezes every now
and then and actively has to be stopped with my application to keep it

>> They don't have direct access to any key. Nevertheless by using someone
>> else's cached passphrase with 2.1 and its all-embracing keyring they may
>> succeed in decoding data not meant for them.
>Perhaps you should implement access control in your frontend, instead of
>asking the agent to perform access control, for which it was not
>intended, AFAIK.

There's server access control through a username/password combination,
access to the corresponding PGP key is given by a usually unique base64
encoded 256-bit random number dedicated to the account.

But if for decryption a cloud of unpredictable valid passphrases is used

> It sounds like you just want the ability to work with
>OpenPGP material, rather than the user-centric model the agent seems to
>correspond to. When GnuPG gives you a square peg, you'll have to build
>your own adapter before it fits in a round hole ;).

Well, I didn't know that GnuPG follows a single-user strategy. Now I do.

>By the way, I'm not recommending anything (this in response to your "do
>you seriously recommend..."). I know nothing about your application or
>what you demand of it. I'm merely trying to give you directions to look
>in, while you search for the correct architecture of your application.

I'm truly sorry, no harm intended.

Kind regards


More information about the Gnupg-users mailing list