> There has been some discussion on debian-devel[1] about making a > bootable Debian Live CD specifically for GnuPG
I have thought for a while that something like this would be a good idea, it's been sitting on the list of things to have a go at for a while, so I'm glad to see that someone is actually doing it. It could be useful to include other kinds of key management than GnuPG, e.g. for code-signing. Maybe not shown to the user in the first instance, but it seems like a good idea to have it in the image. > - would anybody else like to suggest improvements to the workflow? I realise it's a livecd, but I would suggest explicitly banishing anything resembling swap support from the image if possible. I also think that insisting that the user print a revocation cert before continuing is a bit harsh; I don't have a printer connected to my airgapped machine, for example, but since I have multiple backups of the private key I'm not too worried. As far as smartcards, that PKCS#11 tool hasn't had a release since 2011 according to its website. In any case, even if you do get it working then ultimately you have to use whatever type the user has in the reader, which at the moment is essentially always an OpenPGP card. Plus as I understand it you need to distribute all of the per-card drivers for PKCS#11, which tend to be non-free. I think this may be offtopic, but one related thing that I'd also like to look into at some point is whether one can use SELinux to do red/black-separation style stuff. Since this livecd is only really meant for signing it isn't terribly useful, I don't think, unless you wanted to do something like prevent exported private keys from being written to non-special media for example. Thanks, Lachlan _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
