<<< Date Index >>>     <<< Thread Index >>>

Re: mutt/580: mutt stores PGP passphrase insecurely



* Mon Oct 24 2005 Derek Martin <invalid@xxxxxxxxxxxxxx>
> If I have some free time this week, and Tamo doesn't beat me to it, I
> may hack this up.  I'd need to investigate the "right" way to do this,
> so I'll probably want to take a look at the code in gpg first...

I won't try to fix this issue in mutt. I agree with David Shaw.

If a user is afraid of memory-sniffers, he should use gpg-agent
(or OpenBSD's encrypted swap). Mutt doesn't store raw PGP pass-
phrase if $pgp_use_gpg_agent or $crypt_use_gpgme is set.

Oh, but, if mutt locks its memory, it would be good for ImapPass,
PopPass, and SmimePass as well. Although I don't want to use
priviledged mutt on my machine, I could accept a seperate agent
if well-audited. Possibly it could be good to distribute some-
thing like gpg-agent with mutt. But I won't try to write it.

-- 
tamo