Re: Smart Card Physical Best Practices?
On Sat, Feb 26, 2011 at 09:40:07PM -0500 Also sprach David Tomaschik: I've recently received my smart card, but was wondering what the best practices are, mainly from a physical standpoint. When I use it in my laptop reader, it sticks about 2 out of the side, and I have some concern about this (i.e., getting damaged by being pushed into something, etc.). I am using the Authentication key on it for SSH, and the normal signing encryption operations, so I suppose I need it when sending signed email and signing into a system. Do most people leave it in the computer most of the time, or just insert it as needed? This brings to mind: how many insertion cycles can these cards handle? Looking online, various smart cards are rated anywhere from 10,000 to 250,000 insertions. (At 10,000, as few as 10 insertions per day would net a 3 year lifetime.) If you are concerned with the insertion-limited lifetime, and with other possible kinds of damage to the smart card itself, perhaps you should consider getting one of the versions with the SIM removal option. Pop the chip out of the card and put it inside one of those USB tokens that take them. Then the SIM itself is always (at least partially) protected inside a casing, and the insertion problem is offloaded onto the USB mechanism (which is more expendable). If the USB token fails eventually, take the SIM out and put it in a new one; you may have been using it for years by then, but your effective insertion count is 2. As an added bonus, you may use your OpenPGP card on any computer with a USB port, without needing a separate card reader available. -- Le hasard favorise l'esprit préparé. --Louis Pasteur pgpOJgEYqnxrY.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Smart Card Physical Best Practices?
* Grant Olson k...@grant-olson.net [110227 04:11]: I usually just leave it in until I leave the computer for lunch or a meeting or whatever. Same here, but I always take the card with me if I leave the room. One thing I didn't realize at first, is that once you've unlocked either your encryption or authentication key, it will remain unlocked as long as the card is powered up, regardless of any password cache settings you've set in your gpg configuration. If that bothers you, but you don't want to keep yanking and inserting the smartcard, you can kill the scdaemon process and it'll effectively 'unplug' your card. I'm pretty sure there's an easier command to do this too, but I can't remember it off-hand. Yes, this might be an issue. What I do is that I run my gpg-agent in a loop and the agent is killed every 10 minutes or so, also causing scdaemon to exit. This works pretty well. And, of course, you should force the card to ask for the PIN for every single signature (this can be set on the card itseld). But I personally just assume I'll notice the blinking activity light on my reader if some malware script or something weird tries to run gpg commands while the card is activated. My multitasking capabilities are not good enough for parallely working on my PC and always watching my card reader at the same time ;-) Martin pgpGEbCqRyk43.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Smart Card Physical Best Practices?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I've recently received my smart card, but was wondering what the best practices are, mainly from a physical standpoint. When I use it in my laptop reader, it sticks about 2 out of the side, and I have some concern about this (i.e., getting damaged by being pushed into something, etc.). I am using the Authentication key on it for SSH, and the normal signing encryption operations, so I suppose I need it when sending signed email and signing into a system. Do most people leave it in the computer most of the time, or just insert it as needed? This brings to mind: how many insertion cycles can these cards handle? Looking online, various smart cards are rated anywhere from 10,000 to 250,000 insertions. (At 10,000, as few as 10 insertions per day would net a 3 year lifetime.) I hope this all makes sense... David -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQGcBAEBAgAGBQJNabl/AAoJEP2raL8/Cn3qTkQMAJATxn190hUC+FYUIP3KilkQ CUpP8EMthfW7Rm8jzyLkaILXvOlwsO8xM4WebBwStMj6r1HldE6K4BhuUwF+cm6j /JkbKGPDFoZ8H4kcVMBFej/gUJQuk3F7OaU9/0XQv6V+zV9wVz96xSQMIR3HqIJZ jC6LR5Q5cLY6YwsUfQNxqV9SC8xvVVjtF1ojUV6MQ+eUxtsSsUcBluXNtWolj5Hs TRWefFG/tOgPv+IMHBQZndRWYgm05t34AFMcLtR1/lsx3MDahoLw/mbw4FuptYtH SMWOr+k+7gJ7SepChoficwmQWLyOS1kRK+K2N8sEkMw3QizOXSuSRp9cI+GKl1rT 0NoAI3BOIYe9d1gmWayBY+trQjqh2XOhd829WMATRjmogaw7Kv22H7gExP6xkcRO OhcJRFaOp3yPBcSa1jvipXBnf5Upyo3B4CQX+wJMgFsr61mTsPsZj1xneh6tBRTy NwLzjcM28gdls+jtiqZxFy9bo1EWw9zREb6OKMHgLA== =7i+r -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Smart Card Physical Best Practices?
On 02/26/2011 09:40 PM, David Tomaschik wrote: I've recently received my smart card, but was wondering what the best practices are, mainly from a physical standpoint. When I use it in my laptop reader, it sticks about 2 out of the side, and I have some concern about this (i.e., getting damaged by being pushed into something, etc.). I am using the Authentication key on it for SSH, and the normal signing encryption operations, so I suppose I need it when sending signed email and signing into a system. Do most people leave it in the computer most of the time, or just insert it as needed? This brings to mind: how many insertion cycles can these cards handle? Looking online, various smart cards are rated anywhere from 10,000 to 250,000 insertions. (At 10,000, as few as 10 insertions per day would net a 3 year lifetime.) I hope this all makes sense... I usually just leave it in until I leave the computer for lunch or a meeting or whatever. One thing I didn't realize at first, is that once you've unlocked either your encryption or authentication key, it will remain unlocked as long as the card is powered up, regardless of any password cache settings you've set in your gpg configuration. If that bothers you, but you don't want to keep yanking and inserting the smartcard, you can kill the scdaemon process and it'll effectively 'unplug' your card. I'm pretty sure there's an easier command to do this too, but I can't remember it off-hand. But I personally just assume I'll notice the blinking activity light on my reader if some malware script or something weird tries to run gpg commands while the card is activated. -- -Grant Look around! Can you construct some sort of rudimentary lathe? signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users