-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 El 22-01-2015 a las 20:43, Robert J. Hansen escibiĆ³:
> Smartcards exist to keep private keys safe(r) from being stolen. > They do a pretty good job of that. But when we expect smartcards > to be able to somehow make a compromised environment safe to > operate in, then we've crossed the line and turned them into magic > crypto fairy dust. Yes, but maybe you are missing an interesting point: if a smartcard requires the user to push a button each time it has to issue a signature (maybe the pin can be cached for a while, but still require pushing a button means physical access to the device, not just some remotely controled malware), and the card flashes a message saying "I need you to push the button", when you are not requesting the card to issue a signature, then you can realize your computer has been compromized. Or if you issue a signature and then you get a message about "do it again", ok, you can fall once, but not 500 times. Some years ago, I got malware in my computer, and I detected it when the firewall warned me about some program attempting to connect to internet. The firewall was not intended to be a malware detector, but when it requested me to create a rule for that unknown app, I got aware about the problem and could take steps to solve it. By the way, here (at Chile), the law recognizes 2 lvls of digital signatures: the "advanced" digital signature, that is considered like a handwritten signature (and requires a certificate in a smartcard, issued by one of the 3 or 4 approved companies), and the "normal" digital signature, which means the judge will determine the value of that evidence (so, my signatures issued with GnuPG are in the same level as a scanned picture of my handwritting... a bit unfair, IMHO). In that context, I would not only want the smartcard to prevent my private key from being stolen, I'd also like to know malware won't be able to start signing 1000s of things without my approval. Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCAAGBQJUwbhpAAoJEMV4f6PvczxAO3QH/33wV8O/7KG73enX4edcnVfA YCVHF5VIMyi11o/ZX24hpeMdEW0ZM6T2I74TUw+gECkG+3Icci6uaVBlNsTLSW/v TWPzQJI6ahc1ATZlFCfWZ1BiUneBMoQSMxItp/BEJ22XKw2oaNSzQqsZ4fXRXHAO uq0UtY/VtXSovhp0+4KEQe21c92Ko0RxiI1u4z1ihz0ytJhtDivzmJR7QpHQrbCE Y7dKuoRUqv0jPu4AG+DzZBdwu3kRh5jz6ONU84bC0Y4HfPwJ83QXAfBDv0BOOnK+ uo18J1Xs9FOmWDRKgwOw2DYq8lMPFMakHI6DHO6yTT2EQutTe2xKk1bXHdwP+GA= =yJ8z -----END PGP SIGNATURE----- _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
