Il 24/06/2013 10:15, Werner Koch ha scritto: >> A smartcard could be useful anyway, at least as a "portable keyring" >> (if it didn't need initialization on every machine...). > A USB memory stick fulfills the same purpose. Not really secure...
>> And key export could be controlled (like in MyPGPid card): private >> keys can only leave the card encrypted under "certified" keys. > There are several protocols for key migration from token to token. I don't want to migrate (move) it. I want to replicate (copy) it, to have one or more controlled backups. > If you want to do your own, you should be aware of possible patent > problems. I leave sw patents to others... And the system I'm going to use should have enough "prior art" to render a patent useless. > In any case it is a really complex task and not easy to get > right - if at all. The card hosts public key of a "export-authorizing" CA (well, it's not a real CA, since it doesn't do certificates at all... but call it that way for clarity). When I send to the card an export command w/ a public key signed encrypted by the CA's private key, the card answers with the private key encrypted under the signed public key (thinking about requiring a signature w/ private key of the requesting card). Plain old RSA, layered. >> BTW, for the really "paranoid", readers with an integrated pinpad are >> available: the PC never sees the PIN, so no installed sw can spoof >> it. (even if what I'd prefer is a card w/ both a pinpad and a >> display...). > Social engineering almost always work. And further, the display of > your pinpad+display equipped reader does not show you what you are > going to sign. Even further, there are several attacks on pinpad > equipped readers - sure that your reader has not been bugged? Well, a "paranoid" isn't paranoid enough unless he checks the pinpad cannot be easily read from the PC. :) I'm waiting for cards w/ integrated pinpad :) BYtE, Diego. _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users