Moin, * Michael Kjorling wrote (2004-10-29 15:27): >On 2004-10-29 00:03 +0200, mutt@xxxxxxxxxxxxxx wrote: >>> ... forget my PGP passphrase when launching the editor? >> >> Is there a possible security problem here? > >Actually, yes. If the caching time is set long enough, and the user >does not do <forget-passphrases>, someone could send a mail and sign >it using the user's PGP key, thus effectively impersonating them (much >more effectively than simply setting the From header). Ok, but how comes the editor into this? >A simple boolean option ("editor_forgets_pass"?), defaulting to unset >(the present behavior) probably wouldn't take much code, and would >certainly help mitigate this potential problem. It sure would, but since I enter the passphrase after leaving the editor, I'm not sure why I would want to keep it at all. Thorsten -- Politik kann man in diesem Lande definieren als die Durchsetzung wirtschaftlicher Zwecke mit Hilfe der Gesetzgebung. - Kurt Tucholsky
Attachment:
pgp4vL1PCrbYo.pgp
Description: PGP signature