> The use of smartcards is to me only a welcome sign that a > growing segment of gpg users appears to agree with that > proposition.
The overwhelming majority of GnuPG users do not know enough about information security to have an opinion worth listening to. More than that, they shouldn't need to. GnuPG is meant to be a tool for regular users. It fails at this pretty badly for a variety of reasons, not all of which are within its control, but that's always been the goal. If we expect GnuPG users to be experts in information security, then we've utterly and completely failed. A consequence of this is there will always be fads and fashions running through the community, things that many users embrace because "it's more secure" when the reality is it's nothing of the sort. Look at how many people think 3DES is obsolete, for instance, or that anything less than AES256 is risky. One fad in particular -- using symmetric algorithms of comparable strength to your asymmetric key -- has been going on for more than 25 years. Phil Z made this recommendation back in the days when he thought Bass-o-Matic was secure, and it was bogus even then, too. No, this won't give you a "balanced system". (Phil Z was apparently badly misunderstanding a "balanced network" -- a property of Feistel ciphers.) Smartcards are that same thing today. They can be, *in some situations*, a good tool. They are not a *generally recommended* tool. > They should be helped and advised how to better > tackle the problem This is exactly what we've been doing. Except "the problem" was not, in Mr. Senn's case, so much "how do I use a smartcard with GnuPG?" as it was showing him the real question was, "will using a smartcard with GnuPG help me?" And that's a hard question, and an interesting one, and it deserves to be seriously addressed. Ultimately he decided he'd like to learn more about them just because, and that's a perfectly valid use case! _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
