On Fri, 22 Jul 2005 23:42:39 +0200, Felix E Klee said: > Your wording implies that the cards I mentioned aren't both secure and > fast. Any pointers?
No, I was just not aware that they support 2k RSA and key generation in particular. My (old) specs don't say so. > isn't that interesting, though. The point is that AFAICS PKCS#11 > clearly defines an API, and perhaps it may become an ISO standard in the No it does not define a clean API. Almost everyone is using proprietary extensions and I don't consider that a standard. It is a complex specification targeted to allow some interoperabilty between proprietary applications. With Free Software we are not bound to some of these stupid things. If we would try to support all pcks#11 supported tokes we need to add a lot of extra code to gpg to cope with minor pecularities of the tokens. And well, complexity is the worsest enemy of security. > Framework or openCryptoki (unfortunately those two feature GPL > incompatible licenses but who says that this won't change?). Experience? Missing copyright assignments, lost contact to the authors? > About the weakest link: For a master key the length of the key may well > be the weakest link if the master key is stored away in a safe place and > if it is only used once in a while on reasonably tamper proof systems Unless you have real physical security with guards, barbed wire, 2m concrete walls I really doubt that. Hiring a burgler or a gunman is far out cheaper than to break one key - even if it is a CA key for a small or medium domain. Shalom-Salam, Werner _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
