[dev] PGP support for IMP - A start...

[Jan Schneider]

Zitat von Cliff Green <green@UMDNJ.EDU>:

> > or to pass the clear text passphrase from the browser every time we use
> a 
> > private key.
> 
> With a required https connection, the vulnerability would be at the
> server,
> right?  At what point(s) would the passphrase be sniffable or capturable?

If we rely on a https connection with a strong encryption to use private 
keys it should at least be hard enough. Btw, is there a way to get the key 
length from an https connection?
 
> Can thost junctures be protected by hashing the passphrase for comparison
> to
> a hashed version of the one stored in prefs?  Wouldn't a hash be just as
> vulnerable?

This doesn't change anything. If you are able to sniff the communication 
you can use the hashed passphrase as you would do with an unhashed. And you 
can't use a hashed passphrase directly with GPG if I'm right.

Jan.

--
http://www.horde.org - The Horde Project
http://www.ammma.de - discover your knowledge
http://www.tip4all.de - Deine private Tippgemeinschaft