gpg-agent cache keygrip

Mario Figueiredo marfig at gmx.com
Tue Jul 25 22:30:17 CEST 2017


Hello everyone,

I've been trying to understand gpg-agent cache behavior in the presence
of two distinct keys with the same passphrase. Namely, why is that it
only asks for the passphrase once, regardless of the key being used?

So I've read the Assuan protocol documentation at (1), in particular
the text in the linked page and the descriptions for PRESET_PASSPHRASE
and GET_PASSPHRASE. But it isn't getting me any closer to understand
this behavior, because from my own interpretation, it enters into
contradiction with what I am experiencing.

I would normally expect the gpg-agent cache to operate on a per-key
basis, regardless of passphrase. And this is precisely what the
description for the keygrip on the Assuan protocol seems to indicate.
However, that is not what happens and gpg-agent seems to ignore the key
being used and instead reuse the previously used passphrase from
another key, which just happens to be the same passphrase for the new
key.

Is this a bug, or expected behavior? And if the latter, what is the
rationale for it? Since it seems to only worsen an already weak
decision security-wise, which is to choose the same passphrase for two
distinct keys. 

 (1)
https://www.gnupg.org/documentation/manuals/gnupg/Agent-Protocol.html#Agent-Protocol

-- 
Sinceramente / Best regards,

Mário J.G.P. Figueiredo
Luanda, Angola
(email) marfig at gmx.com (alt) krugar at openmailbox.org
(phone) +244 934 535 121
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170725/789a75d0/attachment-0001.sig>


More information about the Gnupg-users mailing list