<<< Date Index >>>     <<< Thread Index >>>

Re: Forget PGP passphrase when launching editor?



On 2004-10-29 00:03 +0200, mutt@xxxxxxxxxxxxxx wrote:
>> ... forget my PGP passphrase when launching the editor?
> 
> Is there a possible security problem here?

Actually, yes. If the caching time is set long enough, and the user
does not do <forget-passphrases>, someone could send a mail and sign
it using the user's PGP key, thus effectively impersonating them (much
more effectively than simply setting the From header).

A simple boolean option ("editor_forgets_pass"?), defaulting to unset
(the present behavior) probably wouldn't take much code, and would
certainly help mitigate this potential problem.

-- 
Michael Kjörling, michael@xxxxxxxxxxxx - http://michael.kjorling.com/
OpenPGP Fingerprint: 3723 9372 c245 d6a8 18a6 36ac  758F8749 BDE9ADA6
* ASCII Ribbon Campaign: Against HTML Mail, Proprietary Attachments *
* No bird soars too high if he soars with his own wings. -*- SM0YBY *

Attachment: pgp1Lgsl5ME0b.pgp
Description: PGP signature