On Mon, Oct 14, 2013 at 5:04 AM, guns <[email protected]> wrote: > On Sun 13 Oct 2013 at 04:58:25PM +0200, Johan Venant wrote: > > Passing a secret via argv or the environment is unadvisable because it > can easily be acquired by other users on the system through ps(1) and > other means. > > In contrast, while gpg-agent is a feature that trades security for > convenience, its socket is at least scoped to the current user only. > > In addition, GnuPG's pinentry programs aim to be as secure as possible¹, > so I don't mind giving my password to gpg/gpg-agent via its dialogs. I > don't necessarily _distrust_ your plugin's password dialog, but being > cavalier about typing one's password is a good way to get compromised. >
Using a tiers program is always a risk. As you said, even using gpg-agent is a risk. It could give an easy access to your encrypted data to any king of programs. Security vs convenience, it's always a choice to do. But I clearly understand your point. I may be missing something, but if your plugin knows GPG_AGENT_INFO and > can exec `gpg2`, then GnuPG's pinentry->gpg-agent mechanism should just > work as expected. Ensuring that Firefox inherits GPG_AGENT_INFO is the > responsibility of the user/OS, not the client. > Accessing GPG_AGENT_INFO isn't a problem. The problem comes from the inability for gpg-agent to open the pinentry dialog box from inside firefox. That's what I understand from the error message : "Error opening terminal: unknown." 1- gpg Try to get the data. 2- ask the passphrase to gpg-agent 3- gpg-agent don't have it and try to open a gtk/qt dialog box to ask it to the user. 4- for some reason (X environment, firefox restrictions, permissions,...) gpg-agent can't open the dialog box 5- it fallback to the ncurse (terminal) version who doesn't work much more. Any way, as you said, it's not a pass manager issue. It was just to say. I will first try to release a version without passphrase management. In a second step, if the addon is useful (and used by other people than just me ^_^), I will try to deal with the gpg-agent dialog box and the passphrase
_______________________________________________ Password-Store mailing list [email protected] http://lists.zx2c4.com/mailman/listinfo/password-store
