[prev in list] [next in list] [prev in thread] [next in thread]
List: gnupg-users
Subject: Re: invalid gpg key revocation
From: Ingo =?utf-8?q?Kl=C3=B6cker?= <kloecker () kde ! org>
Date: 2012-03-07 20:31:11
Message-ID: 201203072131.16722 () thufir ! ingo-kloecker ! de
[Download RAW message or body]
[Attachment #2 (multipart/signed)]
On Tuesday 06 March 2012, Daniel Kahn Gillmor wrote:
> On 03/05/2012 04:36 PM, Ingo Klöcker wrote:
> > 4. He has left his laptop unlocked and unattended for a very short
> > period of time and he is using gpg-agent with a cache-ttl > 0.
> >
> > I have verified that one can generate a revocation certificate
> > without entering a passphrase if one has previously signed
> > something (e.g. an email). So, it was probably just a very nasty
> > prank.
>
> as pranks involving compromise of the secret key go, this is the
> least-nasty prank i can think of.
>
> > Maybe gpg shouldn't use the cached signing passphrase (or any
> > cached passphrase) for generating a revocation certificate.
>
> But it's ok to use the cached signing passphrase for making bogus
> identity certifications?
>
> For signing ersatz love letters?
>
> What's to stop the malefactor from just querying the passphrase
> directly out of gpg-agent and absconding with both it and the secret
> key material to do whatever they want later?
>
> I don't think making the proposed limitation is a helpful one.
Hmm. I guess you are right. Just a minor remark: To my knowledge it is
not possible to get the passphrase out of gpg-agent. The whole point of
gpg-agent is that it encapsulates all operations involving the secret
key and the passphrase in order to minimize the risk of leaks of this
information (see http://www.gnupg.org/aegypten/tech.en.html).
Regards,
Ingo
["signature.asc" (application/pgp-signature)]
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic