[PATCH] Make pinentry-qt read and store passphrases in KDE 3.2's wallet

Matthias Welwarsky mwelwarsky at web.de
Wed Dec 3 16:24:21 CET 2003


On Wednesday 03 December 2003 12:55, Werner Koch wrote:
> On Mon, 1 Dec 2003 21:22:50 +0100, Martijn Klingens said:
> > Apart from coding issues, what's the semantic difference between storing
> > the KWallet passphrase in a GPG encrypted document or storing the GPG
> > passphrase in an encrypted wallet?
>
> What you are doing is to encrypt the key used to encrypt the secret
> key.  That introduced a lot of more complexity and thus insecurity.
> It is pointless to have store the passphrase of an gpg key in
> encrypted form on the disk.  The only thing you gain from that is
> convenience for the price of reduced security.  If you simply want one
> passphrase for all your apps, use one passphrase and don't store it on
> disk (it doesn't matter whether it is encrypted or not).  Cahing a
> passphrase in memory is a different issue.

All my apps, and all my external accounts with the same password. You have to 
explain to me how this is bettern than a wallet. If I used only one password 
all the time, a lucky attacker would have access to all my external accounts 
without having to even break into my desktop machine. That's not really 
better than a wallet, where he'd have to have access to the machine itself.

As always, best practice is applied every time in favour of security. You 
force people to use safe, complex passwords, they will write them down on 
little yellow papers and stick them under the keyboard.

If you choose security over convenience, just don't use convenience stuff.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: signature
Url : /pipermail/attachments/20031203/6a612be6/attachment.bin


More information about the Gpa-dev mailing list