On 11/08/2017 03:45 PM, Peter Lebbing wrote:
On 08/11/17 16:27, ved...@nym.hush.com wrote:
or, more practically, just post anonymously to a blog or website,
using --throw-keyid, with a pre-arranged understanding that the
sender and receiver post to and check certain websites
I did not phrase it properly, leading to a misunderstanding.
We are talking about using a smartcard on a compromised computer. I
reasoned from the OpenPGP Card specification[1]. You can simply ask the
smartcard for the public key; the actual cryptographic public key.
So as an attacker with control over the computer, you see that someone
succesfully decrypts a document using his OpenPGP card. You ask the
smartcard for the public key that was used to encrypt the document, and
you have a fully unique identifier for the key that was used.
there are many real-world use cases where the recipient does not mind
that an adversary knows he is receiving encrypted communication, as
long as the content is secure, but where the sender can be exposed
to various levels of unpleasantness if the adversary can find out
he is communicating with a specific recipient, using encryption.
The ownership of a device such as one discussed in this thread is
trivial to conceal, especially when compared to a computer equipped
to participate in encrypted communications.
Real-life threat-models are much more varied than what Alice, Bob
and Eve would have us believe.
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users