On 2020-01-06 18:26, Christoph Groth wrote:
Robert J. Hansen justifies [4] his use of a smartcard as follows:
Why don't I want to store the private key on multiple computers?
Because a good rule of thumb in a forensics lab is "store the minimum
personal data possible on your systems".
But then he also mentions his 128-bit passphrase and that he would be
OK
to publish his (passphrase-protected) private key in a newspaper. Why
then not store it on the disks of multiple computers?
Hint: because the phrase "forensics lab" is extremely important in what
I wrote.
I used to (don't any more) work in a forensics lab doing R&D into
recovering data from memory, SSD, and spinning-platter media. While I
was doing this my colleagues were reverse-engineering malware. Our
network was airgapped from the rest of the network, but we were still
paranoid about data getting out -- including information about our
identities. When you're doing reverse engineering on a botnet belonging
to an organized crime syndicate, you really don't want the organized
crime syndicate to discover your name.
I was also using OpenPGP to help move data into and out of our airgapped
network. When a CD came into our lab containing data to be loaded onto
machines, we used OpenPGP to verify its provenance. When we burned a CD
containing data to be removed from the lab, we'd put a signature on it
so the system administrators in the lab outside could be certain that a
specific human being was taking responsibility for the contents of that
CD.
Problem: I didn't want there to be any certificate stored on the lab
machines... because any user ID that identified me would be personal
information of the kind I didn't want to be stored.
Solution: use a smartcard. A smartcard allowed me to make these
signatures while leaving minimal forensic traces.
But, outside of that laboratory environment, I didn't -- still don't --
need to use a smartcard. Usually I just keep the key on the hard drive
of whatever machine I'm using.
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
