PGP 7.04 Patch Modifies the Password Cache Setting

[<Steve.Cohen () EchoStar Com>]

I noticed that the new PGP 7.04 Patch, while addressing the security issue 
that required Network Associates to issue the patch, also appears to 
affect the Passphrase Cache.

After applying the patch, I noticed that my passphrase cache, while still 
set to 2:00 minutes, was now functioning as though I had set it to "Cache 
Passphrase While Logged On."

In other words, no matter how long it had been since I had last entered my 
passphrase, I could open any PGP e-mail or document without entering my 
passphrase again.

Checking the Options screen, I discovered that the Passphrase Cache still 
appeared to be set at 2:00 minutes.

Even setting it to 1 Second did not solve the problem; my passphrase was 
still cached for as long as I was logged on.

The only way I could find to resolve this problem was to reset the option 
to NEVER cache my passphrase.

I brought this to the attention of Network Associates, and they WERE able 
to replicate my findings.

However, their position is that since this is an old and not currently 
supported version of PGP, they were not going to fix this problem.

According to them, my only option was to upgrade to version 7.1.1, which 
they feel does not have this problem.


I feel that this problem is potentially much more important than the 
problem that required the patch in the first place, since there is a much 
higher likelihood of a security problem if anyone can read any PGP e-mail 
or document on your computer by simply opening it up.

I also feel that if Network Associates felt they had to fix their initial 
security problem with this patch, that they should also have to fix the 
security problem that their patch caused.