Re: Hardware Keyring

[Antoine Michard]

Sorry Peter to get mixed up OpenHardware and Open Spec...

Diego, like you I like very much FST-01 and I really wanna try.
And private key is protected to SWD port and encrypted inside memory so...
I think to safe enough for me :)

Thanks for the reply !!

2015-06-09 15:38 GMT+02:00 NdK :

> Il 09/06/2015 10:19, Antoine Michard ha scritto:
>
> > - FST-01 : Can be entropy device
> > (NeuG ), can be
> > upgraded (need ST-LINK/V2), Only one enclosure with no attach. And Open
> > Source Too
> That's the one I like most, given my security needs. Remember that it's
> not as hardened as a smartcard if the attacker gains unsupervised
> physical access to it for a long enough time. But it uses ommodity
> hardware you can source where you prefer, so a backdoor is really *much*
> less probable!
>
> And the creator reads this list, too! :)
>
> The only thing I really miss is that the trust db is not in the token,
> but integrating it would require changes/extensions to the protocol.
>
> BYtE,
>  Diego.
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>



-- 
Antoine Michard
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

State-of-the-art way to setup a shared security@ email with hardware-backed keys?

[Simon Josefsson]

I want to setup a secur...@example.com contact email address that should
accept OpenPGP encrypted emails.  The purpose is to notify us of
security incidents.  The decryption key needs to be shared by several
people who are authorized to read and reply to such emails.  Naturally I
don't want soft keys laying around on everyone's disk.

Is anyone doing this for some organization?  What is the best way to
achieve this?

My current idea is to generate a secur...@example.com master PGP key and
keep that offline, and to generate one decryption sub-key, and load that
onto a couple of OpenPGP Card smartcards.

This would allow authorized people to decrypt emails properly, by using
the "security team smartcard".  To respond to the emails, they would
need to use their own smartcard which is a nauisance but workable.

Dealing with revocation (if someone quits or loses their smartcard)
seems feasible: just revoke the subkey and generate a new one, loading
that onto everyone's smartcards.

One alternative I can think of is to setup a server that receives the
email, decrypts it and encrypts it to all people who should receive it.
Then they can use only their personal smartcard and don't need to carry
another smartcard around.  The disadvantage with this is that the server
will become an easy attack target.

What we currently use is to publish the individal PGP keys for all
security team members, so people can encrypt to all of us and email
directly, but that is rather unfriendly to people sending us reports.

Thoughts?

/Simon


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Hardware Keyring

[NdK]

Il 09/06/2015 10:19, Antoine Michard ha scritto:

> - FST-01 : Can be entropy device
> (NeuG ), can be
> upgraded (need ST-LINK/V2), Only one enclosure with no attach. And Open
> Source Too
That's the one I like most, given my security needs. Remember that it's
not as hardened as a smartcard if the attacker gains unsupervised
physical access to it for a long enough time. But it uses ommodity
hardware you can source where you prefer, so a backdoor is really *much*
less probable!

And the creator reads this list, too! :)

The only thing I really miss is that the trust db is not in the token,
but integrating it would require changes/extensions to the protocol.

BYtE,
 Diego.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Hardware Keyring

[Peter Lebbing]

On 09/06/15 10:19, Antoine Michard wrote:
> Hi All,

Hello,

Just a quick scribble, not an extensive answer.

> - OpenPGP Card : cheap, secure, need
> a smartcard reader (or USB Key). Can't use on smartphone but easily
> store in a wallet. And of course it's Open Hardware. Can use Smartcard
> Pageant for Windows 

It's *not* open hardware. Only the specification is open. If you've
found the claim somehwere that it is open hardware, I think it would be
interesting to know where, so the webpage owner can be notified of the
mistake, or something.

It can be very difficult to make an open source crypto smartcard because
you usually have to sign NDA's and things to be able to use one. Open
hardware /with/ a crypto accelerator is definitely even more difficult.
Plus, how far do you go with "open"? Do you want the design of the chip
in the Hardware Description Language it was designed in? ("the preferred
form of the work for making modifications to it").

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Hardware Keyring

[Antoine Michard]

Hi All,

I would like to buy a hardware keyring to store my futur subkey and for
beter security.
I haven't got keys now, but with my futur email address and server I would
like to use more GPG system. For sign all my outgoing mail, to connect
though my ssh server, maybe to encrypt file, etc...

I found a lot of this but It's hard to choose witch one.
Here my choice, please add yours:

- OpenPGP Card : cheap, secure, need a
smartcard reader (or USB Key). Can't use on smartphone but easily store in
a wallet. And of course it's Open Hardware. Can use Smartcard Pageant for
Windows 
- Yubikey Neo
: multiple
usage, NFC (for smartphone) and U2F, NOT OPEN SOURCE (and security breach
recently)
- FST-01 : Can be entropy device (
NeuG ), can be
upgraded (need ST-LINK/V2), Only one enclosure with no attach. And Open
Source Too
- NitroKey : Best of all I think but not
availaible yet

I want to use my device at work, at home and on travel with my netbook. If
I can, I would like to use it with my smartphone but I can live without. I
love OpenSource and OpenHardware, I think it's the futur for better device
and transparency. But I'm not a developper so I trust people who read the
code...

So, what's your advice about hardware keyring ?? Did you know other ??
What's your keyring ???
Thanks for reply

-- 
Antoine Michard
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users