On Mon 2015-09-28 16:00:38 -0400, SGT. Garcia wrote:
> i really want it as the only authentication required that is open password
> from
> user logs him in and decrypts the passwords.
>
>> > that would be my email account not my local user account, correct?
>>
>> The attack i described is an attack against your local user account,
>> though i suspect it could be leveraged into an attack against your
>> e-mail account as well.
>
> how does it work, does gnupg phone home? i suspect not. i did not agree to
> import anything but apparently my mail client (mutt) and/or gnupg took the
> initiative to do so. if that's true then that's a misconfiguration or bad
> default configuration of mutt and/or gnupg, i think.
There is no phoning home. Do you ever import keys that other people
send you? or keys you find on the web? or keys attached to e-mail
messages? Are you sure the things imported can't include a secret key?
Apparently i'm not doing a great job at communicating this scenario to
you. sorry about that. Maybe someone else can try to explain it more
clearly than i can.
I understand what you're asking for, and i see how it would be a useful
thing. However, i think you should constrain it much more tightly than
what you appear to be asking for, and i don't think that such a thing
already exists. It would be a bit of engineering work to make sure that
it's functional, but i'd be happy to review something like this if
somebody wants to propose it.
--dkg
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
