gpg-agent should have prompt-for-use mechanism
Open, NormalPublic

Description

gpg-agent now supports/facilitates forwarding of the agent socket over the
network. This introduces a possibility of a remote attacker getting to
arbitrarily misuse the secret keys stored in the agent.

It would be useful to have a mode where the agent knows the unlocked secret key,
but prompts the user to confirm the use of the key when it receives a request.

I assume that pinentry (or something like it) would be used for the prompting,
but i would hope that it wouldn't require full passphrase entry; loading the key
into the agent should require the passphrase, but each use in this scenario
should only require dealing with a dialog like:

Permit use of key X?
[OK] [Cancel]"
dkg added a subscriber: dkg.
werner added a subscriber: werner.Feb 18 2015, 10:46 AM

We already have that "confirm" flag for ssh and thus adding code to use it for
the extra-socket feature should be easy. The open question is how to disable
this feature on a per key base. A ~/.gnupg/confirmcontrol or similar file could
be used to record those keys which do not need confirmation or if persistance is
not required a checkbox in pinentry could be used to show the confirmation
dialog only once per session.

olfway added a subscriber: olfway.Oct 2 2019, 7:06 AM