How to prevent passphrase caching in 2.1

Carola Grunwald caro at nymph.paranoici.org
Wed Nov 23 09:46:57 CET 2016


Daniel Kahn Gillmor <dkg at fifthhorseman.net> wrote:

>On Tue 2016-11-22 11:20:26 -0500, Carola Grunwald wrote:
>> They don't have direct access to any key. Nevertheless by using someone
>> else's cached passphrase with 2.1 and its all-embracing keyring they may
>> succeed in decoding data not meant for them.
>
>fwiw, the same concerns hold for a shared gpg-agent passphrase-cache
>from pre-2.1 versions of gpg as well, right?

Of course.

>
>your model sounds like it needs to use a separate agent per user,
>regardless of which version of the agent you're using.

With GnuPG 1.4 I had no agent. And, in case it is, I've no idea why with
2.x such a passphrase cache with all its risks has to be mandatory.

Kind regards

Caro



More information about the Gnupg-users mailing list