[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Fix needed for communication with gpg-agent

From: Chong Yidong
Subject: Re: Fix needed for communication with gpg-agent
Date: Tue, 20 Feb 2007 10:35:29 -0500
User-agent: Gnus/5.11 (Gnus v5.11) Emacs/22.0.93 (gnu/linux)

Richard Stallman <address@hidden> writes:

> We need to solve this problem one way or another now, because we
> decided to fix a certain security hole by telling users to use
> gpg-agent.  We don't need the most elegant possible fix, but we
> need something reasonable to use.

Has anyone ever said that not using gpg-agent causes a security hole
(except for you)?

The strongest statement I've ever seen is that gpg-agent is highly
recommended, since it provides the most secure way of inputting
passphrases.  Basically, the worry is that someone could somehow
change the Elisp code in your Emacs session so that it records your
passphrase as you are entering it.  This is a non-zero but minuscule

In other words, if you want to be as secure as possible, use X.

Note that if someone is in a position to corrupt your Emacs session,
it is only a little more trouble to create and redirect you to a fake
version of gpg-agent that will intercept your passphrase anyway.  So
you are screwed even if you use gpg-agent in X.

As Ken Thompson once noted, all security risks are relative.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]