On Sat, Sep 21, 2013 at 11:06 PM, Aleksandar Lazic <al-gnupg_us...@none.at> wrote: > What could be a perfect or at least a very good storage of the > private Key.
Probably a smartcard -- this keeps your key entirely on the card and it is not accessible to the computer (that is, a bad guy with control of your computer cannot extract the key from the card). It's almost certainly possible that a well-equipped adversary with chip-disassembly equipment (read: a major government) could physically take apart the chip and read the data off the internal parts directly, but that's a different story altogether. Personally, I use a smartcard to prevent my private keys from being revealed if my computer is compromised by malware or some other sneaky stuff. If someone is willing to go through with seizing my smartcard and taking it apart, I have bigger problems. :) > My definition of "today's user environment": > > 1.) Private mobile device, tablet, notebook with private E-Mail program > 2.) Business mobile device, tablet, notebook with company E-Mail program > with company key and private key > 3.) Private mobile device, tablet, notebook with Web mail only access > 4.) Business mobile device, tablet, notebook with Web mail only access > 5.) more to defined > > There are for different clients different tools available but the problem > from my point of view is that you must always add your private key into the > different clients. > > This is a lot of work and sometimes not possible as in point 3+4 defined. > > Point 1+2 are also not very secure due to the fact that nobody knows what > really happen on such devices. Well, #1 is probably the most secure: it's your own device and your own mail client (e.g. Thunderbird). #2 is probably the least secure, as the company has access to your private key. > There are some HW-Solutions like > > http://g10code.com/p-card.html > http://shop.kernelconcepts.de/product_info.php?cPath=1_26&products_id=133&osCsid=503b6045b0863ea8f4bc84757e89ee81 > > but how could this or other HW-Solutions be usable along with Point 1+2 > definitions? Easy: many mail clients have OpenPGP support built-in, or available through an add-on like Enigmail for Thunderbird. Many can read the smartcard and handle the encryption/decryption/signing operations through the normal interface. Even without a smartcard, they can access one's keyring and perform the various operations. > In case you have your own server with your own web mail solution like > roundcube, Horde or any other and you have secured your private Key on this > server then you have a solution for point 3+4 but not for 1+2. I'm not sure how much I'd trust a web service, even one operated by myself or a company, with my private keys. I'd much rather keep them on a smartcard, accessible only to myself. > What solution is available for public Web mail providers like gmail, gmx, > hotmail, .... .? Gmail permits access with mail clients (e.g. Thunderbird), so one could use such a client in conjunction their OpenPGP software to send and receive encrypted mails. For webmail-only providers, you'd need to compose your message offline (say in a text editor like Notepad or something similar), then perform the encrypt/sign operations, then copy-paste the encrypted/signed output into the webmail compose window. > What are your opinions about the thought above? > What are your solution which you use? Usability is a big concern, and it's difficult with webmail-only services that people use these days. It becomes much more straightforward if one uses a mail client program. Cheers! -Pete -- Pete Stephenson _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
