tag:gpgtools.tenderapp.com,2011-11-04:/discussions/problems/1275-reducing-multiple-passphrase-entriesGPGTools: Discussion 2017-09-14T12:05:36Ztag:gpgtools.tenderapp.com,2011-11-04:Comment/155111692012-04-24T13:29:44Z2012-04-24T13:29:44ZReducing multiple passphrase entries<div><p>Hi Ian,</p>
<p>please download the latest GPGMail version from <a href=
"http://nightly.gpgtools.org">http://nightly.gpgtools.org</a>.<br>
It includes a preference which will let you switch off the
generation of the preview snippets, which are at fault for the
multiple passphrase entries, especially if you use more than one
GPG key and have messages encrypted messages for each key.</p>
<p>Let us know if it solves your problem.</p></div>Luke Letag:gpgtools.tenderapp.com,2011-11-04:Comment/155111692012-04-24T14:54:51Z2012-04-24T14:54:51ZReducing multiple passphrase entries<div><p>Thanks, that seems to have done the trick!</p>
<p>Ian.</p></div>Ian Browntag:gpgtools.tenderapp.com,2011-11-04:Comment/155111692012-04-24T14:56:39Z2012-04-24T14:56:39ZReducing multiple passphrase entries<div><p>Very nice!<br>
We've also discussed your proposal to clean the passphrase cache on
logout and will implement it.</p>
<p>Closing this discussion, feel free to open a new one any
time!</p></div>Luke Letag:gpgtools.tenderapp.com,2011-11-04:Comment/155111692012-04-30T10:31:25Z2012-04-30T10:31:25ZReducing multiple passphrase entries<div><p>Hi. I see that your update hasn't <em>quite</em> done what I was
asking. Let me explain further.</p>
<p>I have a long-term signature key pair. I also regularly generate
shorter-life subkeys for encryption purposes.</p>
<p>I just sent a message to a colleague whose public key I have. I
was asked once for my passphrase to unlock my long-term private
key. The message was signed/encrypted and sent.</p>
<p>I then looked again at the message in my sent folder. I was
asked again for my passphrase, to unlock my shorter-life private
subkey - even though it's the same passphrase.</p>
<p>Since it will generally be the case that the same passphrase is
used for keys and their subkeys, could you update your code so that
it tries existing cached passphrases before asking users for a new
one?</p>
<p>Even better, could you have an option to save sent messages
(plus decrypted received messages) as plaintext (with a separate
signature MIME part)? I use FileVault to protect my local storage.
That way, when my shorter-life subkeys expire, I can delete the
private part, preventing its future compromise.</p>
<p>Thanks!<br>
Ian.</p></div>Ian Browntag:gpgtools.tenderapp.com,2011-11-04:Comment/155111692012-05-22T11:53:24Z2012-05-22T11:53:36ZReducing multiple passphrase entries<div><p>Does this Knowledge Base article answer your question?<br>
<a href=
"http://support.gpgtools.org/kb/faq/can-i-store-my-passphrase-so-i-dont-get-asked-for-it-for-every-single-mail-i-decrypt">
http://support.gpgtools.org/kb/faq/can-i-store-my-passphrase-so-i-d...</a></p>
<p>If not, what functionality do you think is missing.</p>
<p>All the best,<br>
steve</p></div>Stevetag:gpgtools.tenderapp.com,2011-11-04:Comment/155111692012-05-22T12:02:06Z2012-05-22T12:02:06ZReducing multiple passphrase entries<div><p>Hi. No. I don't want to store my passphrase in my keychain. I
have the other option set, but it is asking for the (same)
passphrase when I need to sign messages (using my long-term private
signature key) and decrypt messages (using a short-lifetime private
decryption subkey).</p></div>Ian Browntag:gpgtools.tenderapp.com,2011-11-04:Comment/155111692012-05-22T12:13:02Z2012-05-22T12:13:02ZReducing multiple passphrase entries<div><p>I'm not sure I understand all terminology you use.</p>
<p>You use one key (sec) for signatures. You don't change it so you
call it longtime.</p>
<p>Then you have another sec key you use to decrypt mails. You
rotate that key so you call it short-lifetime.</p>
<p>Do I understand that correctly?</p>
<p>Those keys both have the identical mail address they make use
of?</p>
<p>The idea behind that is, that you can rotate your sec key while
your friends still can verify your signature because you didn't
rotate that sec key? Is that the idea?</p>
<p>But they wouldn't be able to write to you encrypted mails
without obtaining the new pub key, no?</p>
<p>I'm not sure I get the point of the scenario. Please help us
understand.</p></div>Stevetag:gpgtools.tenderapp.com,2011-11-04:Comment/155111692012-05-22T12:22:14Z2012-05-22T12:22:14ZReducing multiple passphrase entries<div><p>Yes to all your questions.</p>
<p>See <a href=
"http://tools.ietf.org/html/rfc4880#section-5.5.1.2">http://tools.ietf.org/html/rfc4880#section-5.5.1.2</a>
for the PGP standard section that explains this key-subkey
structure.</p>
<p>The benefit is that when your encryption subkey pair expire, if
you securely delete the private key, it cannot later be hacked or
otherwise compromised and then used to decrypt captured ciphertext.
More in section 1 of <a href=
"http://www.apache-ssl.org/openpgp-pfs.txt">http://www.apache-ssl.org/openpgp-pfs.txt</a></p></div>Ian Browntag:gpgtools.tenderapp.com,2011-11-04:Comment/155111692012-05-27T14:31:05Z2012-05-27T14:31:05ZReducing multiple passphrase entries<div><p>Hey Ian,</p>
<p>this is basically a feature request for the people at <a href=
"http://www.gnupg.org">www.gnupg.org</a></p>
<p>If gpg-agent can't find the passphrase in it's cache it would
call up pinentry. pinentry would then look if a passphrase is saved
in the mac keychain. if no -> pinentry window asks the user for
that.</p>
<p>The problem here is, that gpg needs to ask the gpg-agent if
there is a stored passphrase for the main key already. gpg asks
twice for encrypting and signing. So your request makes sense but
needs to be addressed in gpg itself. When that is done you should
be fine. So feel free to get in touch with them via mailing
list.</p>
<p>Hope this helps,<br>
steve</p></div>Stevetag:gpgtools.tenderapp.com,2011-11-04:Comment/155111692012-05-27T15:19:14Z2012-05-27T15:19:14ZReducing multiple passphrase entries<div><p>Ok. Thanks!</p></div>Ian Browntag:gpgtools.tenderapp.com,2011-11-04:Comment/155111692012-05-27T15:22:36Z2012-05-27T15:22:55ZReducing multiple passphrase entries<div><p>No problem. Sorry we can't offer an easy fix for this. But the
people at gnupg.org are very kind and supportive. So good luck, I'm
sure they are open to good feature requests.</p>
<p>All the best,<br>
steve</p></div>Steve