On 11/24/2017 08:27 AM, Elias Mårtenson wrote: > The attack scenario you describe just doesn't seem as serious to me as > it does to you. This > scenario would involve a rogue application calling qubes-gpg-client to > attempt to sign some > data, and somehow manage to trick me into accepting the request.
I believe the threat Jean-Philippe is describing is something like: * You use an untrusted VM to perform some GPG operation * However it was infected and something was waiting for you to accept this * This something can now perform any GPG operation they want during 300s using your secret keys Which is an argument against using split GPG from untrusted domains. And this argument against using split GPG from untrusted domains then naturally encourages the policy to actually disallow using split GPG from untrusted domains, instead of allowing it. Even leaving the default “ask” operation it means you have to misthink twice in order to let an untrusted VM access your keyring, including once with an unusual popup (as the policy for your frequently-signing VMs will already be set to “allow” by clicking the “allow for all” button); so it's better than having “$anyvm split-gpg allow”. -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/1f7a893a-79b0-2ba6-705b-525411450fa7%40gaspard.ninja. For more options, visit https://groups.google.com/d/optout.
