Date: 25 Jul 2002 16:33:33 -0000
From: [email protected]
To: [email protected]Subject: PGP 7.04 Patch Modifies the Password Cache Setting
I noticed that the new PGP 7.04 Patch, while addressing the security issue
that required Network Associates to issue the patch, also appears to
affect the Passphrase Cache.
After applying the patch, I noticed that my passphrase cache, while still
set to 2:00 minutes, was now functioning as though I had set it to "Cache
Passphrase While Logged On."
In other words, no matter how long it had been since I had last entered my
passphrase, I could open any PGP e-mail or document without entering my
passphrase again.
Checking the Options screen, I discovered that the Passphrase Cache still
appeared to be set at 2:00 minutes.
Even setting it to 1 Second did not solve the problem; my passphrase was
still cached for as long as I was logged on.
The only way I could find to resolve this problem was to reset the option
to NEVER cache my passphrase.
I brought this to the attention of Network Associates, and they WERE able
to replicate my findings.
However, their position is that since this is an old and not currently
supported version of PGP, they were not going to fix this problem.
According to them, my only option was to upgrade to version 7.1.1, which
they feel does not have this problem.
I feel that this problem is potentially much more important than the
problem that required the patch in the first place, since there is a much
higher likelihood of a security problem if anyone can read any PGP e-mail
or document on your computer by simply opening it up.
I also feel that if Network Associates felt they had to fix their initial
security problem with this patch, that they should also have to fix the
security problem that their patch caused.
