From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.io/gmane.emacs.gnus.general/63759 Path: news.gmane.org!not-for-mail From: Sascha Wilde Newsgroups: gmane.emacs.gnus.general,gmane.emacs.devel Subject: Re: Security flaw in pgg-gpg-process-region? Date: Tue, 19 Sep 2006 12:02:17 +0200 Message-ID: References: <9c79059a-61a9-4fa4-8376-638753320a14@well-done.deisui.org> <4aaf7080-0e3d-4a75-aff5-f9d5bcd0437f@well-done.deisui.org> <87fyjz2gaj.fsf@pacem.orebokech.com> <87ac5gnccs.fsf@mid.deneb.enyo.de> <8fe569ef-0b5e-4c29-b434-686fce4c619b@well-done.deisui.org> NNTP-Posting-Host: main.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Trace: sea.gmane.org 1158660613 31617 80.91.229.2 (19 Sep 2006 10:10:13 GMT) X-Complaints-To: usenet@sea.gmane.org NNTP-Posting-Date: Tue, 19 Sep 2006 10:10:13 +0000 (UTC) Cc: gdt@work.lexort.com, satyaki@chicory.stanford.edu, Reiner.Steib@gmx.de, ueno@unixuser.org, ding@gnus.org, emacs-devel@gnu.org, Werner Koch , fw@deneb.enyo.de, jas@extundo.com Original-X-From: ding-owner+m12286@lists.math.uh.edu Tue Sep 19 12:10:07 2006 Return-path: Envelope-to: ding-account@gmane.org Original-Received: from malifon.math.uh.edu ([129.7.128.13]) by ciao.gmane.org with esmtp (Exim 4.43) id 1GPcY0-0001FF-Se for ding-account@gmane.org; Tue, 19 Sep 2006 12:09:49 +0200 Original-Received: from localhost ([127.0.0.1] helo=lists.math.uh.edu ident=lists) by malifon.math.uh.edu with smtp (Exim 3.20 #1) id 1GPcXj-0005c7-00; Tue, 19 Sep 2006 05:09:31 -0500 Original-Received: from mx1.math.uh.edu ([129.7.128.32]) by malifon.math.uh.edu with esmtp (Exim 3.20 #1) id 1GPcR5-0005c2-00 for ding@lists.math.uh.edu; Tue, 19 Sep 2006 05:02:39 -0500 Original-Received: from quimby.gnus.org ([80.91.227.211]) by mx1.math.uh.edu with esmtp (Exim 4.52) id 1GPcR3-00044z-PT for ding@lists.math.uh.edu; Tue, 19 Sep 2006 05:02:39 -0500 Original-Received: from ns.km1136.keymachine.de ([62.141.58.119] helo=km1136.keymachine.de) by quimby.gnus.org with esmtp (Exim 3.35 #1 (Debian)) id 1GPcQx-0007wP-00 for ; Tue, 19 Sep 2006 12:02:31 +0200 Original-Received: from kenny.sha-bang.de (xdslcm102.osnanet.de [89.166.140.102]) (authenticated bits=0) by km1136.keymachine.de (8.12.11.20060308/8.12.10) with ESMTP id k8JA2FRZ022050; Tue, 19 Sep 2006 12:02:16 +0200 Original-Received: from wilde by kenny.sha-bang.de with local (Kenny MUA v.0409034.42) ID 1GPcQj-0007ll-TX; Tue, 19 Sep 2006 12:02:17 +0200 Original-To: rms@gnu.org In-Reply-To: (Richard Stallman's message of "Thu\, 07 Sep 2006 17\:13\:40 -0400") User-Agent: Gnus/5.11 (Gnus v5.11) Emacs/22.0.50 (gnu/linux) X-Spam-Score: -2.5 (--) Precedence: bulk Original-Sender: ding-owner@lists.math.uh.edu Xref: news.gmane.org gmane.emacs.gnus.general:63759 gmane.emacs.devel:60005 Archived-At: Richard Stallman wrote: > The right solution might instead be to push for gpg-agent to be > production ready, so that entire notion of emacs dealing with > passphrases can be deprecated. > > What's the state of work on this? Apart from the general problems with gpg-agent/pinentry (it seems gpg-agent is optimized for use with card readers) the use of gpg-agent is integrated and documented in the current PGG from CVS Emacs as well as in the current released version of gnus. Non the less Miles is right, that there are known issues when using pinentry, and gpg-agent is not yet part of the stable gnupg releases. So I would say that deprecating input of key passphrases into Emacs is not an option yet. Finlay I do agree that the current handling of passphrases in Emacs is a serious security problem, which should be solved. cheers sascha -- Sascha Wilde - no sig today... sorry!