On Fri, Nov 24, 2017 at 2:27 AM, Elias Mårtenson <[email protected]> wrote: > On Friday, 24 November 2017 15:05:27 UTC+8, Jean-Philippe Ouellet wrote: > >> >> ...but surely not *all* of them able to do perform any operation they >> want on any data they want using any key they want as soon as you >> authorize it once for any VM! (by default the agent authorizes any use >> of the keyring for 300 seconds(?) after first use) > > > Yes, 300 seconds is the default. And it's only authorised for a given VM. > Trying to sign from another VM will present the popup again.
Ah, indeed. Having only ever had 1:1 some-vm:some-vm-gpg pairs I had not realized this was the case. I apologize. > As long as I don't accept the GPG warning popup unless I know it's OK, I > don't see > this as an issue. Also, every signing request during these 300 seconds will > display a > notification, which will quickly reveal if there are any strange things > happening (and, > again, I'd need to manually authorise the first access anyway). > >> >> Was there some documentation you got this from? If so, please do point >> me to it so I can correct it ASAP. > > > When I initially did this for 3.2, I followed the official documentation on > this, which gave > me the configuration that is identical to what I managed to set up with 4.0 > now: > https://www.qubes-os.org/doc/split-gpg/ That documentation never suggests a policy of allowing from any vm. The old policy accept gui it has a screenshot of (when saying "Yes to All") modifies policy to allow *only the specific src/dest pair* for future requests. > There are no mentions of limiting access to specific VM's, and the following > statement > seems pretty reasonable to me: > > “With Qubes Split GPG this problem is drastically minimized, because > each time the key > is to be used the user is asked for consent (with a definable time out, > 5 minutes by default), > plus is always notified each time the key is used via a tray > notification from the domain > where GPG backend is running. This way it would be easy to spot > unexpected requests > to decrypt documents.” > > The attack scenario you describe just doesn't seem as serious to me as it > does to you. This > scenario would involve a rogue application calling qubes-gpg-client to > attempt to sign some > data, and somehow manage to trick me into accepting the request. Well, of course you're welcome to do whatever you'd like. Just don't say I didn't warn you :) Regards, Jean-Philippe -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/CABQWM_AchmRsftb30iT-E%2B1SofB_qK0T18uO687s1m7HJFRmfA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
