Il 06/01/2014 10:34, Werner Koch ha scritto: > To make use of the decryption key the smartcard first requires that a > VERIFY command is send to the card. This is what asks for the PIN. > After a successful verification of the PIN the card allows the use of > the PSO Decrypt command until a power down or a reset operation. Thus > an attacking malware only needs to trick you info decrypt an arbitrary > message and is then free to use the smartcard without having the reader > ask you again for a PIN. Is it just convenience or enforcing it (e.g. adding a "forcedecauth" flag) would lead to usability issues (maybe because sometimes decryption is called many times in sequence)? That would be the case for auth key, I think: using it to auth against a web page would ask auth for every sub-request of objects on the page.
BYtE, Diego. _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
