Re: Re: cache-timeout not working with smartcard
I would also like the features requested in this thread: having the card locked again after a decryption/authentication and the possibility to easily unplug and replug an ID-000 reader. Werner Koch wrote: > If you are talking about malware on your box, nothing will help you. > You don't have any control anymore on your box. The only advantage > you have is that the bot needs to wait until you enter the PIN the > next time and then it can replay the PIN as needed. Oh, you are using > a pinpad reader - well in this case the malware just et you sign > something it is interested in and not what you assume. This is also about physical access. If I use the smart card and leave the workstation for a moment (and forget to lock the card again), somebody can sit down at my workstation and happily decrypt my gpg files and use ssh to log in to other systems. Sure, physical access can cause lots of trouble, but it takes more time and effort than just typing "ssh interesting-host". I don't feel comfortable about it. >> 2. Couldn't scdaemon be configured to also access the signature key on >> the card every time, even if only the authentication or encryption key >> is needed? > > Why would you want to do that? See above. I'm not really convinced about the security of this method anyway. Access control should be at the card. However, how about powering down _and_up_ the card after every auth/decrypt? Configurable, of course. That way, PIN entry can start immediately when the next auth/decrypt turns up, without the delay of powering up and initialising the card (actually, the delay has been moved to the moment after the previous use). Greetings, Peter. PS: I also use the internal CCID driver. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at http://wwwhome.cs.utwente.nl/~lebbing/pubkey.txt (new, larger key created on Nov 12, 2009) ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
same key pair for more than one e-mail address
Suppose I'd like to "bind" the same key pair to more than one e-mail address. Is it recommended? Any comments will be greatly appreciated. Regards, Marcio Barbado, Jr. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: same key pair for more than one e-mail address
-BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 Hi Marcio, > Suppose I'd like to "bind" the same key pair to more than one e-mail address. > Is it recommended? Any comments will be greatly appreciated. it depends. Using it for two private mail addresses that both are public is no problem. You may add or revoke UIDs later on. If you use an email address only your closest friends know, then adding a UID for it to your public key would reveal it. Also, keep in mind that if you use the same key for private and business, depending of the legislation on your country, your employer might ask you to hand out the private encryption key once you leave the company. It is wise to avoid such situations by using separate keys for business and private use. There are more cases like a low-trust key just to secure transport e.g. for XMPP aka Jabber. Olav - -- The Enigmail Project - OpenPGP Email Security For Mozilla Applications -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.12 (MingW32) Comment: Diese Email ist digital signiert/verschlüsselt Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQGcBAEBAwAGBQJLLAdsAAoJEKGX32tq4e9WVZcL/i9sN4e4X/rQkhpYs1GtBeE/ cEpGwbndm1l9f30MWtw+2fNHbich11+IFPSO5GZ0x4ccqfIXVSFuABLAmW0s3MV5 NToErwYti0BbUcLQb+46fA7lhFF7ct7bX17D/Lv7TVExcl6qLKo2zwfufbVXi/GL Kc46WIoGlHDzAQNNlpNFQQm0Evnd8ORmE6fzVAEcBIBF0i3rpeuLXrC2oleJkPe8 LgwMZkZeF/v+0xZ8VCxsvaFx3o8S2annYR1gHIjGKm0YNbyMK/dI0nVSbmjXRjF2 SCpXr/vLjKlN4C67dBy1Tw9UbtsJkQm2nkkSTiQBqC6189HHr4i0BJbe5GQJWqCs iYGFZ/r0fsm4P+ryLN7sIQW1cbfvRit5olg7RnDvy8BQourhgotAN7ATEqEEIsiQ 4i2ZDlPzmTIkXwvvsI4jOnokLAEMquGa4cj+cPFnBAl7GTdeIjrAb7jQ0JzMt7ZA wawowDOsghA2/xLbU/aYAXie9cIz5qOhR/OhX+6U7g== =wil5 -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [gnupg-users] same key pair for more than one e-mail address
On Fri, Dec 18, 2009 at 08:08:15PM -0200, M.B.Jr. wrote: > Suppose I'd like to "bind" the same key pair to more than one e-mail address. > Is it recommended? Any comments will be greatly appreciated. I wrote a blog post on this question a couple months ago: http://bit.ly/4eTg6z James -- James P. Howard, II, MPA MBCS j...@jameshoward.us pgp529PvAKpnX.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
