> It is objectively more secure.
No. Security is inherently subjective. A risk that one person is
willing to bear, another is not; a risk one person deems catastrophic,
another deems insignificant.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
h
On Sun, Apr 23, 2017 at 08:42:45PM -0400, Robert J. Hansen wrote:
> > There are a
> > few possible attacks that the use of a smartcard mitigates, and
> > therefore a smartcard key *is* more secure than a non-smartcard key
>
> No. It's more secure *only if those attacks are within your threat
> pr
On Mon, Apr 24, 2017 at 07:50:15AM +, listo factor via Gnupg-users wrote:
> "...the general purpose
> operating system is fundamentally inadequate for trusted
> operations."
...
> The use of smartcards is to me only a welcome sign that a
> growing segment of gpg users appears to agree with that
> Look at how many people think 3DES is obsolete, for instance, or that
> anything less than AES256 is risky.
My bad: I used "obsolete" when I should've said "insecure". I fully
agree 3DES is obsolete; it's the "3DES is insecure" which is,
IMO, unsupported and faddish.
(The best attack on 3DES r
> The use of smartcards is to me only a welcome sign that a
> growing segment of gpg users appears to agree with that
> proposition.
The overwhelming majority of GnuPG users do not know enough about
information security to have an opinion worth listening to.
More than that, they shouldn't need to
On 04/24/2017 12:42 AM, Robert J. Hansen wrote:
-- but [smartcards] do not rise to the level listo is
> ascribing to them...
The central argument I've been making in this thread is not the
promotion of smartcards, it is something best summarized by
the quote from the Laurie-Singer paper: "...th
> No, that is *one of* the game-over conditions; it is not *the* game-over
> condition.
[a lot of stuff I agree with snipped]
Please re-read the thread. You'll see you're agreeing with Peter
Lebbing and me. We've consistently maintained smart cards are useful in
a number of use cases and threat
On Sat, Apr 22, 2017 at 01:01:12PM -0400, Robert J. Hansen wrote:
> The game-over condition without a smartcard is, "my computer gets
> compromised by an attacker."
No, that is *one of* the game-over conditions; it is not *the* game-over
condition. Without a smartcard, there are other game-over co
[lots of good stuff I completely agree with snipped]
> not people like Robert J Hansen
I only use my full name and middle initial to prevent confusion with
Robert "rsnake" Hansen. He and I both spoke at Black Hat a few years
ago, we're both in the computer security field, and so on. "Robert J.
> Smart card is not the device authors discuss in that paper, but it is
> a small, evolutionary step toward it.
Not really. What's the trusted device in the system? It's still the
desktop PC. A compromise there leads to so many different and
catastrophic attacks that it needs to be called a gam
On 22/04/17 09:34, listo factor via Gnupg-users wrote:
> Consequently, the promotion of it's
> use is frowned upon primarily by those that are more interested
> in spreading the use of gpg for philosophical and political
> reasons among those that don't have any real adversaries,
I completely disa
On 04/10/2017 03:25 AM, Robert J. Hansen - r...@sixdemonbag.org wrote:
Preserve the security of your endpoint system. Nothing else will do.
The year is 2017 and this is simply no longer a practical strategy:
"...Our position is that the general purpose operating system is
fundamentally ina
12 matches
Mail list logo
