Moin,
* Michael Kjorling wrote (2004-10-29 15:27):
>On 2004-10-29 00:03 +0200, mutt@xxxxxxxxxxxxxx wrote:
>>> ... forget my PGP passphrase when launching the editor?
>>
>> Is there a possible security problem here?
>
>Actually, yes. If the caching time is set long enough, and the user
>does not do <forget-passphrases>, someone could send a mail and sign
>it using the user's PGP key, thus effectively impersonating them (much
>more effectively than simply setting the From header).
Ok, but how comes the editor into this?
>A simple boolean option ("editor_forgets_pass"?), defaulting to unset
>(the present behavior) probably wouldn't take much code, and would
>certainly help mitigate this potential problem.
It sure would, but since I enter the passphrase after leaving the
editor, I'm not sure why I would want to keep it at all.
Thorsten
--
Politik kann man in diesem Lande definieren als die Durchsetzung
wirtschaftlicher Zwecke mit Hilfe der Gesetzgebung.
- Kurt Tucholsky
Attachment:
pgp4vL1PCrbYo.pgp
Description: PGP signature