> What prevents the keylogger in your first example to snarf the PIN > code > for the OpenPGP card and send decryption requests to the OpenPGP card, > using the PIN code, in the background, possibly remotely controlled > over > the network?
There exist cryptographic smart cards you can actually be safe against this kind of attack with. They're pretty cool. I don't know if the OpenPGP card is one of them or not, but it's at least possible with a smartcard. It's not possible with a PC-controlled setup--at least, not without a ton of specialized hardware. > I think smart cards in general are somewhat over-rated. You have no > idea what they are signing, and the authorization control (PIN > code) is > easy to get by with a trojan. My objection to smartcards is more on the basis of RSA-1024 being too short for long-term security, but hey. The question isn't whether smart cards are secure--nothing that's got that much RAM and processor power ever is--but whether smart cards are a security improvement. On that one, I think they have the potential to bring substantial amounts of win to certain kinds of environments. To other kinds of environments, they don't. C'est la vie. _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
