On Sep 10, 2009, at 8:38 PM, Daniel Kahn Gillmor wrote:
On 09/10/2009 06:32 PM, Christoph Anton Mitterer wrote:
3) One problem with such devices is,.. that one can never know
(well at
least normal folks like me) how good they actually are.
If this company would be evil (subsidiary of NSA or so) they could
just
sell bad devices that produce poor entropy thus rendering our
(symmetric
and asymmetric) keys, signatures etc. "useless". Right?
Worse than this: the devices could produce measurably "good" entropy
that happens to be predictable to a malicious individual in control
of a
special secret.
Sure, but your computer vendor "could" have a relationship with the
NSA and put some special code in the BIOS to capture keyboard input
and periodically send it to a central server. Your disk drive vendor
"could" keep a few extra sectors hidden from the reallocation pool,
and use them to store copies of things that match the byte signature
of a PGP key. Your wifi AP vendor "could" have a hidden secret WPA
key that makes your home network available to a malicious individual
in control of the special secret.
"Could" is a very powerful word. At some point, people have to buy
and run the closed-source hardware they need to run their open-source
software on :)
David
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
