"Steven M. Bellovin" <smb(_at_)research(_dot_)att(_dot_)com> said:
in the Holy Name of Convenience, many (most?) mailers permit a
passphrase to be cached for some amount of time. A virus could
exploit that.
Ok. So, you're reasoning on the assumption that the user and her system
enginer are both incompetent, that the software being used cannot be trusted
and that a virus is potentially already active on the user's system. Under
such assumptions, what do you foresee as a possible solution?
When I said:
I would hope that any software I use, that is able to put my digital signature
on some data, would ask me for my pass-phrase every time my private key is
used.
I meant that these were my requirements for a reliable system. But, unless I
were to be provided with all the sources and took the time to carefully analyze
them, I would, in the end, still be relying on somebody else's "promise" that
the software doesn't do anything stupid with my private key. The least I could
do, though, is to check that the system I use at least pretends to be doing
what I consider safe to do. Still, when I disable scripting in my mail user
agent and my browser, can I be 100% sure that no script will ever be executed?
"Steven M. Bellovin" <smb(_at_)research(_dot_)att(_dot_)com> also said:
A virus [snip] could wait until you tried sending
some signed mail, and grab the key then. It could even wait, and
then pop up its own key window that masquerades as the real one,
followed by a box saying that you entered your passphrase
incorrectly, and that you should retry it, in the real prompt. There
are operating system techniques that can prevent that latter attack,
such as the "trusted path".
Interesting. Do you have a reference (preferably a URL) that describes the
"trusted path" technique?
Peace,
Bertrand Ibrahim.
--------------------------------------------
Bertrand(_dot_)Ibrahim(_at_)cui(_dot_)unige(_dot_)ch
http://cui.unige.ch/eao/www/Bertrand.html