On 22/04/17 09:34, listo factor via Gnupg-users wrote: > Consequently, the promotion of it's > use is frowned upon primarily by those that are more interested > in spreading the use of gpg for philosophical and political > reasons among those that don't have any real adversaries,
I completely disagree with this assessment. It is a completely wrong portrayal of the motives of people who warn about putting all your money on a smartcard. > rather > than in the protection - however imperfect - of those that have > real need for communication security. So what real protection does it offer? If somebody has full access to your general purpose PC, they can read your encrypted communication and fake your signatures. Maybe faking signatures is something that would leave a trail and will be noticed eventually, but what good does that do you when your oppresive regime has just rounded up all your collaborators and has them before a firing squad?! The only thing they cannot do is make a copy of your key to use it elsewhere; they are bound to your hacked PC for usage. I think there are plenty threat models where the fact that they can read your encrypted messages is far worse. And they can do that willy-nilly, by cleverly using your smartcard for their own use while caching and providing the session keys you are trying to decrypt. You don't even have to decrypt the document they're interested in yourself, and no external push button will save you. Just decrypt a document twice, and the second time, the attacker can use your smartcard for their own good while providing the session key they logged the first time for your decryption. It feels like you are saying "if you have a real need for communication security, a smartcard will make you more secure"; saying that much at the least. And it is completely and utterly dependant on the threat model. You accuse others of not caring about people with real threats, yet your careless vague statements might encourage those people to place inappropriate trust in their smartcard setup. I think you are the one who is doing them a disservice, not people like Robert J Hansen who warn that smartcards can't magically make you safe when your computer is compromised. Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
