Keyring on external encrypted drive

NdK ndk.clanbo at gmail.com
Thu May 23 21:18:40 CEST 2013


Il 23/05/2013 20:43, Peter Lebbing ha scritto:

>> Really useful, IMVHO. Unless you have to sign *a lot* of things...
> Werner Koch does not agree it's a security feature (and I suppose that's why you
> think it's useful), as he said in this[1] thread:
> [1] http://lists.gnupg.org/pipermail/gnupg-users/2013-February/046051.html

Similar threads appeared on OpenSC ML too.
That's why I was investigating a "port" of OpenPGPCarf to Yubico token
(that offers a button that can be read by the Java code -- too bad it
requires a library available from NXP only under strict NDA :(

A less robust (against invasive attacks) option could be the GNUK token.

>> In any case it is not a security measure because the host may simply
>> cache the PIN and and silently do a verify command before each sign
>> operation.  To avoid that simple workaround, a pinpad reader which
>> filters the VERIFY command would be needed.
The host may cache it only if it ever sees it :)
There exists cards with button and display: having an OOB bidirectional
channel can give much more security...

Another option could be a HOTP code instead of a static PIN (maybe I'll
include this in MyPGPid :) ).

BYtE,
 Diego.



More information about the Gnupg-users mailing list