On Fri, Nov 24, 2017 at 2:27 AM, Elias Mårtenson <
lok...@gmail.com> wrote:
> On Friday, 24 November 2017 15:05:27 UTC+8, Jean-Philippe Ouellet wrote:
>
>>
>> ...but surely not *all* of them able to do perform any operation they
>> want on any data they want using any key they want as soon as you
>> authorize it once for any VM! (by default the agent authorizes any use
>> of the keyring for 300 seconds(?) after first use)
>
>
> Yes, 300 seconds is the default. And it's only authorised for a given VM.
> Trying to sign from another VM will present the popup again.
Ah, indeed. Having only ever had 1:1 some-vm:some-vm-gpg pairs I had
not realized this was the case. I apologize.
> As long as I don't accept the GPG warning popup unless I know it's OK, I
> don't see
> this as an issue. Also, every signing request during these 300 seconds will
> display a
> notification, which will quickly reveal if there are any strange things
> happening (and,
> again, I'd need to manually authorise the first access anyway).
>
>>
>> Was there some documentation you got this from? If so, please do point
>> me to it so I can correct it ASAP.
>
>
> When I initially did this for 3.2, I followed the official documentation on
> this, which gave
> me the configuration that is identical to what I managed to set up with 4.0
> now:
>
https://www.qubes-os.org/doc/split-gpg/
That documentation never suggests a policy of allowing from any vm.
The old policy accept gui it has a screenshot of (when saying "Yes to
All") modifies policy to allow *only the specific src/dest pair* for
future requests.
> There are no mentions of limiting access to specific VM's, and the following
> statement
> seems pretty reasonable to me:
>
> “With Qubes Split GPG this problem is drastically minimized, because
> each time the key
> is to be used the user is asked for consent (with a definable time out,
> 5 minutes by default),
> plus is always notified each time the key is used via a tray
> notification from the domain
> where GPG backend is running. This way it would be easy to spot
> unexpected requests
> to decrypt documents.”
>
> The attack scenario you describe just doesn't seem as serious to me as it
> does to you. This
> scenario would involve a rogue application calling qubes-gpg-client to
> attempt to sign some
> data, and somehow manage to trick me into accepting the request.
Well, of course you're welcome to do whatever you'd like. Just don't
say I didn't warn you :)
Regards,
Jean-Philippe