GNU bug report logs - #29907
25.3; Easy PG should warn users that passphrases are not cached forever

Previous Next

Full log

Message #11 received at 29907 <at> debbugs.gnu.org (full text, mbox):

From: John Williams <johnfrombluff <at> gmail.com>
To: Noam Postavsky <npostavs <at> users.sourceforge.net>
Cc: 29907 <at> debbugs.gnu.org
Subject: Re: bug#29907: 25.3; Easy PG should warn users that passphrases are
 not cached forever
Date: Sun, 28 Jan 2018 18:31:28 +0000

[Message part 1 (text/plain, inline)]

Thanks!

On Mon, 29 Jan 2018 at 05:29 Noam Postavsky <npostavs <at> users.sourceforge.net>
wrote:

> John Williams <johnfrombluff <at> gmail.com> writes:
>
> > I encrypted a file using Easy PG. When I did so, I specified a pass
> > phrase via a window manager pop-up dialog and checked the option to
> > save the pass phrase in the "keyring". I am using GNOME, so I assumed
> > that the "keyring" in question was Seahorse.
> >
> > I opened the file again and was not prompted for the pass phrase. I
> > was happy. I rebooted to see if the cache was ephemeral, and lo, it
> > was not. I was happy.
> >
> > A few days later, I attempted to open the file again, and was prompted
> > for the password. I had forgotten it, and now there is no way to
> > access the contents of the file. I am very sad, because the contents
> > of the file are worth about $20,000 to me.
>
> Hmm, I don't think gpg-agent caches over reboots, so I wonder what saved
> your pass phrase the first time.
>
> > Mea culpa. I should not have trusted software for such an important
> > task without reading the manual. But after reading the manual, I find
> > no mention that the pass phrase caching is ephemeral. After much
> > Googling, I found out about gpg-agent and max-cache-ttl.
> >
> > I don't think it's reasonable to expect users to read long manuals, or
> > already be experts in underlying technology, in order to use simple
> > functionality. I also think the the dialog that prompts for a pass
> > phrase should inform the user about default-cache-ttl and
> > max-cache-ttl.
> >
> > I also think the dialog, and the manual, should emphasise very
> > strongly that pass phrases are not cached forever.
>
> I somewhat feel that the term "cache" already implies temporary, but
> saying it explicitly shouldn't hurt I guess.  Emacs is not in control of
> the dialog at all, so we cannot affect that.
>
> --- i/doc/misc/epa.texi
> +++ w/doc/misc/epa.texi
> @@ -474,7 +474,9 @@ Caching Passphrases
>
>  Typing passphrases is a troublesome task if you frequently open and
>  close the same file.  GnuPG and EasyPG Assistant provide mechanisms to
> -remember your passphrases.  However, the configuration is a bit
> +remember your passphrases for a limited time.  Using these, you only
> +need to re-enter the passphrase occasionally.
> +However, the configuration is a bit
>  confusing since it depends on your GnuPG installation <at> xref{GnuPG
>  version compatibility}, encryption method (symmetric or public key),
>  and whether or not you want to use gpg-agent.  Here are some
>

[Message part 2 (text/html, inline)]

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.