On Mon, Sep 28, 2015 at 04:10:10PM -0400, Daniel Kahn Gillmor wrote: > On Mon 2015-09-28 16:00:38 -0400, SGT. Garcia wrote: > > i really want it as the only authentication required that is open password > > from > > user logs him in and decrypts the passwords. > > > >> > that would be my email account not my local user account, correct? > >> > >> The attack i described is an attack against your local user account, > >> though i suspect it could be leveraged into an attack against your > >> e-mail account as well. > > > > how does it work, does gnupg phone home? i suspect not. i did not agree to > > import anything but apparently my mail client (mutt) and/or gnupg took the > > initiative to do so. if that's true then that's a misconfiguration or bad > > default configuration of mutt and/or gnupg, i think. > > There is no phoning home. Do you ever import keys that other people > send you? or keys you find on the web? or keys attached to e-mail > messages? Are you sure the things imported can't include a secret key?
this is the first time i hear about *importing* to be honest. after reading, yes just reading, your email a new key was added and on the next run of 'notmuch new' i was asked for it by pinentry. i'm guessing mutt imports any key it finds in attachments. > Apparently i'm not doing a great job at communicating this scenario to > you. sorry about that. Maybe someone else can try to explain it more > clearly than i can. it's not your fault. i think i'm missing some background on this. > I understand what you're asking for, and i see how it would be a useful > thing. However, i think you should constrain it much more tightly than > what you appear to be asking for, and i don't think that such a thing > already exists. It would be a bit of engineering work to make sure that > it's functional, but i'd be happy to review something like this if > somebody wants to propose it. > > --dkg for now i just nuked my old .gnupg directory and created a new one without passphrase. seems to accomplish the same thing, i.e. no more annoying passphrase dialog. i will have to confirm on the next boot though. sgt _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
