bug#9113: 24.0.50; auth-sources: .authinfo versus .authinfo.gpg

[Roland Winkler]

On Sat Jan 28 2012 Lars Ingebrigtsen wrote:
> "Roland Winkler" <winkler@gnu.org> writes:
> 
> >   It is highly recommended to store the file .authinfo as an
> >   encrypted file as .authinfo.gpg, though in some cases such a
> >   solution can be inconvenient or otherwise problematic.
> 
> I would say "it's highly discouraged", because putting your
> passwords into the .authinfo.gpg file will render your Emacs
> virtually unusable for reading mail/news/etc. (By default.)
> 
> I mean, unless you think typing in a password three gazillion
> times is OK.

But then it appears to me that elsewhere there is a problem:

Why is it necessary that Emacs reads this file three gazillion
times? I would assume: reading the encrypted file once and holding
the content in memory cannot be more unsecure than storing the
sensitive information in an unencrypted file.

With an unencrypted file, the passwords are definitely lost /
exposed if my laptop is lost or stolen. With an encrypted file, a
thief needs to access the memory of a running (or dumped) emacs
process, which appears less likely to me.

In any case, how are ssh-agent and gpg-agent handling passphrases
that are given to them?

What am I missing here?

Roland