I didn't expect to start a religious war, but being Jewish, I can
appreciate this....
I just wanted to know why. It was cached temporarily was enough for me,
but the responses were intriguing.
:>
On Thu, Mar 30, 2000 at 01:20:09PM +0200, Thomas Roessler muttered:
> On 2000-03-30 12:06:42 +0100, Edmund GRIMLEY EVANS wrote:
>
> > I was thinking of something simpler: mutt spawns a suid
> > program called muttpgphelper, say, and gives the
> > passphrase to this program. When mutt wants to invoke
> > gnupg it sends a request down a pipe to muttpgphelper
> > which then invokes gnupg and gives the passphrase to
> > gnupg down another pipe.
>
> I think a more interesting variant may be some kind of
> passphrase-agent which is directly contacted by gnupg, pgp
> & friends through some Unix domain socket. I have even
> some code from a year or two ago.... However, this has
> two downsides:
>
> (1) mutt still has to temporarily store the pass phrase or
> parts thereof in insecure memory
>
> (2) same with most versions of PGP - remember, most don't
> run setuid root.
>
> (3) this approach requires modifications to all PGP
> back-ends used.
>
> Frankly, I really don't believe one should expect highest
> security from low-security devices. If you really care,
> don't use a pass phrase, and software crypto, but use a
> smart card with biometric user authentication for all the
> public-key crypto.
>
> --
> http://www.guug.de/~roessler/
>
--
/helfman
"At any given moment, you may find the ticket to the circus that has always beenin
your possession."
Fingerprint: 2F76 2856 776A 3E07 9F3E 452A 17D9 9B28 D75E 0A36
GnuPG http://www.gnupg.org Get Private! 1024D/D75E0A36
