On 2004-10-29 00:03 +0200, mutt@xxxxxxxxxxxxxx wrote: >> ... forget my PGP passphrase when launching the editor? > > Is there a possible security problem here? Actually, yes. If the caching time is set long enough, and the user does not do <forget-passphrases>, someone could send a mail and sign it using the user's PGP key, thus effectively impersonating them (much more effectively than simply setting the From header). A simple boolean option ("editor_forgets_pass"?), defaulting to unset (the present behavior) probably wouldn't take much code, and would certainly help mitigate this potential problem. -- Michael Kjörling, michael@xxxxxxxxxxxx - http://michael.kjorling.com/ OpenPGP Fingerprint: 3723 9372 c245 d6a8 18a6 36ac 758F8749 BDE9ADA6 * ASCII Ribbon Campaign: Against HTML Mail, Proprietary Attachments * * No bird soars too high if he soars with his own wings. -*- SM0YBY *
Attachment:
pgp1Lgsl5ME0b.pgp
Description: PGP signature