It breaks mailpile because gpg-agent is not session aware. A user could be logged in locally, using mailpile, and a remote attacker could access the web interface of that locally running mailpile instance, which since it is talking to the same gpg-agent, would think the remote user is logged in (or more precisely, has the private key).
I think that one solution would be to have mailpile use a per-session gpg home dir.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users