Am 2023-11-13 07:09, schrieb Stephan Verbücheln via Gnupg-users:
On Sun, 2023-11-12 at 19:46 -0600, Jacob Bachmeyer wrote:A PIN does not solve the problem, since the PIN is entered on the device, which could be backdoored to store the PINThat's why card readers with pinpads were invented, and GnuPG also supports that: https://www.gnupg.org/howtos/card-howto/en/ch02s02.html Other ideas to improve isolation: * If you trust your Linux distribution in general but not every single desktop app, you can use a separate Linux user for sensitive activities. * You can use GnuPG Agent Forwarding via SSH to sign a file on a less trusted server from a more trusted client. This way your PIN is entered on the more trusted client machine.
What can you sign? Non-complete answer: - git commits - files - emails How can you sign emails? Non-complete answer: - webmail interface - MUA with pgp support From which systems can you use such email signatures? Non-complete answer: - Android - iOS - Windows - MacOS - Linux - FreeBSD - your TV (e.g. if it has a web browser)Yubikey or similar and agent forwarding can't be used when I am not at home and access my webmail interface (I want to have a big screen for certain emails), typically this is not supported by a webmail interface.
Agent forwarding can't be used for this use case too.I'm interested to hear about a Android App which supports yubikeys, but this is curiosity, as it doesn't help with the above case of a webmail interface.
Right now, there is no solution which allows an android app, a webmail interface from the work-PC and a MUA or webmail interface on/from your PC at home (no matter which OS) to use _1_ central location of your private key (so far you may be able to have it stored in your webmail solution, and on your yubikey for apps/git/files but the last part depends on something which is able to forward it to remote locations, which doesn't work if you need to use a web-interface based ssh gateway solution instead of direct ssh access). Feel free to prove me wrong, I would love to have a solution for this.
Note, while looking up something related, I found an old German overview about the email-apps situation from the authors of GPG for the German ministry of information security:
https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Studien/OpenPGP/openpgpandroid.pdf?__blob=publicationFile&v=2I have fast-read some parts and it looks like the situation hasn't really changed in the last 8 years.
If you think about it (I just invested 1 minute), you would need: - some server with your private key which is reachable from everywhere - a safe authentication possibility to it - a remote signing protocol - support in all apps/MUAs/...One could argue, that you put OIDC in front of gnupg-agent on a network socket and you have covered the 3 first items (but I would bet it is not as simple as that). Then it would be simply support in all the apps/MUAs/... (webmail interfaces which use gnupg-agent already, would be simple to convert if gnupg-agent would have a proxy feature which would connect to the remote agent).
Bye, Alexander. -- http://www.Leidinger.net [email protected]: PGP 0x8F31830F9F2772BF http://www.FreeBSD.org [email protected] : PGP 0x8F31830F9F2772BF
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list [email protected] https://lists.gnupg.org/mailman/listinfo/gnupg-users
