On Mon, 14 May 2007 10:44, [EMAIL PROTECTED] said: > something's wrong. Can the OpenPGP Card be set to do one operation per > pin entry when used with a card reader that has a keypad? This seems
Yes, use the command "forcesig" in the --card-edit menu to toggle this feature. However it does not help you if the host has been compromised and the admin PIN is know. You can always bypass the requirement to use the keypad. With some social engineering this make it easy to get control over the card. > software. It seems the OpenPGP Card relies on the proprietary BasicCard > operating system. Finally, it looks like the OpenPGP Card costs about That is indeed very unfortunate but we have found no other way to deliver a fast card. For allmost all fast chips you need to sign an NDA which does not allow you to implement a fully free solution. Building your own chip is possible but they would be very expensive. And no, a Java Card does not help securitwise as you don't have access to the firmware. > 26.4 Euros (about $36) shipped from Europe. That's a little high for me > right now. What about an aggregated order or to figure out a company in the US to distribute the cards? > not in use, so that if my device falls into the wrong hands, I won't > have to worry too much. Does the OpenPGP Card encrypt the keys while > stored on the card? No, that does not make sense - the standard security features of the chip are employed to make probing the chip difficult and expensive. > Also, the OpenPGP Card appears to be from a german organization, like That is not correct. I have developed the specs along with Achim Peitig of a Paderborn card vendor. Achim wrote the implementation. It was done all on our own money and for our fun. Only later the BSI (The German federal IT security agency) mentioned this card as a good example of a usable smart card without vendor lock in. > the one that developed the Java Anonymous Proxy, and was forced by the > german government to back door the software. Does the german government JAP has not been backdoored but the organisations running a JAP server have the ability to log the IP addresses. The case you have in mind is that the lists of IP addresses have been handed over to the prosecution authorities. IIRC, they have not been forced to do this but did this voluntary. That is basically the same as with a TOR server: It is possible to log things to help the prosecution but no sane person wouild do this. My company is running a heavy loaded exit node (allium.gnupg.org) and we get about one request a fortnight to tell the IP address. Obviously we don't do that and usually a few minutes talk is today sufficient to explain them that this is an anoymizer server and that there is no chance to get to the IP address of the previous node. > still consider it legal to force programmers to back door their > software? I heard they were appealing it, but I never heard how that There is no way to force backdoors in software. Only ISPs (larger than about 1000 clients) are required to have that expensive wiretapping rig available - in case of a court order to set one. And well, they need to keep the client name and the assigned IP addrersses on file for too much time. But that has nothing to do with beeing forced to backdoor software. > Does anyone know if any other democratic governments consider it legal > to force programmers to incorporate back doors? Before answering that we need to agree on what countries are still democratic ;-) Shalom-Salam, Werner _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
