<<< Date Index >>>     <<< Thread Index >>>

Re: Forget PGP passphrase when launching editor?



Moin,

* Michael Kjorling wrote (2004-10-29 15:27):
>On 2004-10-29 00:03 +0200, mutt@xxxxxxxxxxxxxx wrote:
>>> ... forget my PGP passphrase when launching the editor?
>> 
>> Is there a possible security problem here?
>
>Actually, yes. If the caching time is set long enough, and the user
>does not do <forget-passphrases>, someone could send a mail and sign
>it using the user's PGP key, thus effectively impersonating them (much
>more effectively than simply setting the From header).

Ok, but how comes the editor into this?


>A simple boolean option ("editor_forgets_pass"?), defaulting to unset
>(the present behavior) probably wouldn't take much code, and would
>certainly help mitigate this potential problem.

It sure would, but since I enter the passphrase after leaving the
editor, I'm not sure why I would want to keep it at all.


Thorsten
-- 
Politik kann man in diesem Lande definieren als die Durchsetzung
wirtschaftlicher Zwecke mit Hilfe der Gesetzgebung.
    - Kurt Tucholsky

Attachment: pgp4vL1PCrbYo.pgp
Description: PGP signature