Page MenuHome GnuPG
Create Task
Maniphest T2018

Show passphrase constraint errors as password prompt errors instead of one-button prompts
Closed, ResolvedPublic
Actions

Description

pinentry-gnome3 raised some usability concerns on GNOME side.

This bug is about one use of a one-button prompt

When passphrase constraints are enforced, generating a new gpg key and inserting a weak
passphrase triggers a one-button prompt informing the user entered an insecure.

As GNOME Shell prompter is system modal, there are two issues noted by Stef that we would
like to avoid:

  1. blocking all other user interaction with their own machine to give them a message

(error or not) is problematic

  1. some of these things are just notifications that should be handled as such, and not

put up a dialog

Discussing with Neal and Stef about the use case cited above, we agreed that that type of
message would be better presented as an error in password prompt.

Attached patch changes gnupg to not show one-button prompts for passphrase constraints
related messages when passphrase constraints are enforced.

Related Objects

Event Timeline

yuuma added projects: gnupg, Bug Report.Jun 18 2015, 5:21 AM
yuuma added a subscriber: yuuma.

D312: 643_0001-Show-passphrase-constraints-errors-as-password-promp.patch

neal added a subscriber: neal.Jun 18 2015, 12:20 PM

D311: 644_0001-Show-passphrase-constraints-errors-as-password-promp.patch

neal added a comment.Jun 18 2015, 12:20 PM

A few comments:

The special casing is take_this_one_anyway2 is wrong. Instead, in
check_passphrase_constraints, if failed_constraints is not NULL, we just
shouldn't call check_passphrase_constraints.

You also removed a translation.

You didn't update the copyright year.

You didn't include a signed-off-by line.

I've created a new patch.

neal added a subscriber: werner.Jun 18 2015, 12:24 PM

Werner:

Some brief background: the Gnome people want one-button confirmations to appear
as notifications, which can be dismissed asynchronously. This patch changes the
passphrase constraint violation 1-button confirmation (when
enforce-passphrase-constraints is set in gpg-agent.conf), which should be
displayed as a synchronous dialog, to instead be an error text displayed with
the next password prompt. Independent of what one thinks of notifications, I
think this change is a usability improvement.

yuuma added a comment.Jun 18 2015, 12:50 PM

I'm sorry for the many mistakes.

In the commit message wouldn't it be:
"If FAILED_CONSTRAINT is not NULL and OPT.ENFORCE_PASSPHRASE_CONSTRAINTS is
TRUE, ..."

werner added a comment.Jun 19 2015, 11:21 AM

FWIW, there are 3 different use cases:

  • Prompts about failed passphrase constraints: They do not need to me modal
  • The prompt "Please insert card with S/N XXX" is really a notification and even gpg-agent will dismiss it w/o user interaction: No need to be modal
  • "An ssh process requested the use of key ... please confirm" should IMHO be modal because it has the same purpose as entering a passphrase.
neal added a comment.Jun 19 2015, 3:56 PM

Werner:

The primary issue here isn't whether the dialogs should be model, but whether
they require the immediate attention of the user. Messages that don't require
the user's immediate attention should be shown asynchronously as notifications.
One-button dialogs are generally notifications, since they don't actually give
the user any choice. If a one-button dialog does require a synchronous
interaction then it is probably a bug.

Consider the bad passphrase case (and let's ignore the rest, since they are not
relevant to this issue). If we are not enforcing passphrase constraints and the
user enters a bad passphrase, then it makes sense to show a dialog. The user
has two options: "Enter a new passphrase" and "Take this one anyway"; GnuPG
needs more information from the user before it can continue.

If we are enforcing the passphrase constraints, then we currently show a dialog
with a single option: continue. The dialog is informational. However, the
dialog can't be shown as a notification: the user needs to know why he or she
needs to redo the enter-a-new-passphrase step. A background notification is
insufficient. The assertion is that this is actually a bug. This information
can be better shown in the enter passphrase dialog. That's exactly what this
patch does.

Do you agree with this reasoning? Can I apply this patch?

Thanks,

Neal

neal added a comment.Jun 29 2015, 4:01 PM

I've now pushed my version of this patch.

neal closed this task as Resolved.Jun 29 2015, 4:01 PM
neal claimed this task.