From xemacs-m  Sat Aug 23 19:34:08 1997
Received: from altair.xemacs.org (steve@xemacs.miranova.com [206.190.83.19])
	by xemacs.org (8.8.5/8.8.5) with ESMTP id TAA00392
	for <xemacs-beta@xemacs.org>; Sat, 23 Aug 1997 19:34:08 -0500 (CDT)
Received: (from steve@localhost)
	by altair.xemacs.org (8.8.6/8.8.6) id RAA10954;
	Sat, 23 Aug 1997 17:38:53 -0700
Mail-Copies-To: never
To: Martin Buchholz <mrb@Eng.Sun.COM>
Cc: <jari.aalto@poboxes.com> (pgp preferred ssjaaa@uta.fi | pgp -fka),
        skip@calendar.com (Skip Montanaro), xemacs-beta@xemacs.org
Subject: Re: PGP security threat alert
References: <199708232201.SAA22000@helene.tele.nokia.fi> <199708232210.PAA12803@xemacs.eng.sun.com>
X-Face: `'%\i;ySOu]g?NlziJSk_$&@]KP`}~PEQPjZ5;nxSaDW_o$4+4%Ab]%Ifw3ZR;7TIT3,O,'
 @2{L;]ox6kc;$_5kU'n**9vFg-]eV~GbxSVCx|(s%uR[],*:^WKmC`B}(;|k9/m]gwt?&`t;^rfCJg
 khHH>pP1W\)xM0U@!FNDD72{3fDP$PkBhx^7Z?-WxH6DbFN:QOnT`llzW}VGdYv;n9lzljQvKTIBhQ
 YuV
X-Attribution: sb
From: SL Baur <steve@xemacs.org>
In-Reply-To: Martin Buchholz's message of "Sat, 23 Aug 1997 15:10:41 -0700"
Mime-Version: 1.0 (generated by tm-edit 7.108)
Content-Type: text/plain; charset=US-ASCII
Date: 23 Aug 1997 17:38:52 -0700
Message-ID: <m2vi0w4dpf.fsf@altair.xemacs.org>
Lines: 23
X-Mailer: Gnus v5.4.65/XEmacs 20.3(beta19) - "Kiev"

Martin Buchholz <mrb@Eng.Sun.COM> writes:

>>>>>> "Jari" == Jari Aalto <jaalto@tre.tele.nokia.fi> writes:
> Removing all the recent keys seems remarkably kludgy.  We should not
> have a subr to remove the recent keys.

I don't like it and Richard doesn't like it.

> Instead we should have a way to suppress recording of keystrokes during
> execution of a lisp function, which could be used by passwd.el.

That sounds more useful.  It doesn't sound any more secure, but it's a 
more correct thing to do.

> I vote against adding the subr.

Implementing bad security is much worse than implementing no security
at all.  If you're trying to protect against someone with physical access 
to a running emacsen where you have just typed in a (PGP) password,
you'll also have to make sure the text is wiped out of other places in 
the lisp runtime lest forcing a coredump reveal all.  I'm not sure
that's worth it as it will require a substantial amount of work to do
right and the best solution is to not leave your session unattended.

