How easy would it be to create (and prevent the creation of) a fake pinentry?

Raimar Sandner mail at 404not-found.de
Wed Apr 29 16:13:32 CEST 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wednesday 29 April 2009 15:40:47 Peter Pentchev wrote:
> On Wed, Apr 29, 2009 at 03:31:51PM +0200, Raimar Sandner wrote:
> > On Wednesday 29 April 2009 12:09:02 Olivier Mehani wrote:
> > > Let me explain: having several background-ish applications making use
> > > of the agent, it happens that the pinentry sometimes pops out when the
> > > passphrase cache has expired. One of my first concerns is that there's
> > > no way to identify which application actually needs to use my PGP key.
> > > This one seems to be partially addressed in [0], as the application
> > > could set the title of the pinentry program.
> >
> > The pinentry should only pop up when the application actually needs the
> > key do do something. If pinentry pops up without you doing someting that
> > requires your secret key, you should be worried.
>
> ...like, for example, your OpenPGP-powered Jabber client suddenly
> needing to reconnect after something happened to the network and
> you simply didn't notice? :>

Ok, granted there are situations when pinentry pops up without your action. 
Now that you mention it, this happened quite often to me (uppon receiving an 
encrypted message though, not on reconnect of the client) before I used OTR 
for instant messaging :D

Raimar
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.11 (GNU/Linux)

iEYEARECAAYFAkn4YJEACgkQVsSSMllCZClffgCeN9bcIf7FGeNAdh2x5+rQJPcN
oCEAn3bET0TLH0dZid+5yym74fKYfesz
=Y0OZ
-----END PGP SIGNATURE-----



More information about the Gnupg-users mailing list