Hi, NIIBE Yutaka: > Sorry, I didn't have time to reply your call the other day. > > I think that Gemalto Shelltoken Card Reader, which is available > at http://shop.kernelconcepts.de/ is good one. > > Please note that OpenPGP card requires specific card readers. Its > users usually use RSA-2048, RSA-3072, or RSA-4096. For those key > sizes, the communication is somewhat difficult for old standard of ISO > 7816. (For RSA-1024, most smart card readers work well.) > > I recommend TPDU readers, because readers which support extended APDU > level communication tend to have issues for larger size communication. > > On 10/18/2016 04:51 PM, Daniel Pocock wrote: >> I was looking at this page: >> >> https://wiki.gnupg.org/CardReader/PinpadInput >> >> Are any of these more outstanding than the others, or it doesn't matter >> which one somebody chooses? >> >> Could anybody comment on which of those are easily available in small >> quantities for developers, or suppliers who are cost effective for small >> quantities? > > I implemented the pinpad input support in scdaemon. While I know some > claims that it is good feature, I, for myself, don't think it's worth > to have. > > I don't think the attack to USB communication could be mitigated by > pinpad card reader. If such an attack is possible, a user already > would be defeated. > > It is common for such card readers to have only numeric pads. That > limits the entropy of passphrase, considerably. And, as far as I > know, I don't know any implementation of card readers in the market, > which firmware is Free Software. With user interface like pinpad > input, it is more difficult for me to trust an implementation of such > a card reader. >
Just one note for now: For example, The Nitrokey Storage (1,2), a usb crypto stick with integrated card reader) is 100% open source, free software, verifiable firmware. On the other hand, it has no pinpad. There may be others (with free software), but I don't know of them. I just use the Nitrokey, without having any ties with its makers. If lack of PIN-pad device is not a knock-out criteria, you might ask them about quantities and conditions. (1) https://www.nitrokey.com/ (comparison table at bottom of page) (2) https://www.nitrokey.com/news/2016/nitrokey-storage-available (3) https://www.nitrokey.com/introduction (quick overview) (4) https://www.nitrokey.com/news/2015/nitrokey-storage-got-great-results-3rd-party-security-audit (with links to the actual security audit pdf's) Cheers Stephan
0x4218732B.asc
Description: application/pgp-keys
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
