PGP and Smartcards?

Werner Koch wk at gnupg.org
Mon Jul 25 08:01:36 CEST 2005


On Fri, 22 Jul 2005 23:42:39 +0200, Felix E Klee said:

> Your wording implies that the cards I mentioned aren't both secure and
> fast.  Any pointers?

No,  I was just not aware that they support 2k RSA and key generation
in particular.  My (old) specs don't say so.

> isn't that interesting, though.  The point is that AFAICS PKCS#11
> clearly defines an API, and perhaps it may become an ISO standard in the

No it does not define a clean API.  Almost everyone is using
proprietary extensions and I don't consider that a standard.  It is a
complex specification targeted to allow some interoperabilty  between
proprietary applications.  With Free Software we are not bound to some
of these stupid things.

If we would try to support all pcks#11 supported tokes we need to add
a lot of extra code to gpg to cope with minor pecularities of the
tokens.

And well, complexity is the worsest enemy of security.

> Framework or openCryptoki (unfortunately those two feature GPL
> incompatible licenses but who says that this won't change?).

Experience?  Missing copyright assignments, lost contact to the
authors?

> About the weakest link: For a master key the length of the key may well
> be the weakest link if the master key is stored away in a safe place and
> if it is only used once in a while on reasonably tamper proof systems

Unless you have real physical security with guards, barbed wire, 2m
concrete walls I really doubt that.  Hiring a burgler or a gunman is
far out cheaper than to break one key - even if it is a CA key for a
small or medium domain.


Shalom-Salam,

   Werner




More information about the Gnupg-users mailing list