Smart card fragility?

Alex Mauer hawke at hawkesnest.net
Tue Sep 20 19:15:25 CEST 2005 

Werner Koch wrote:

> One could imagine a reader with keypad which reliable enforces the use
> of the pinpad by catching all VERIFY commands and somehow is able tell
> the user which PIN has been requested (requires knowledge of the smart
> card application).  I don't know such a reader.

Or a standardized way for a card reader to respond to any application
with that information.

I'm not going to hold my breath for such a solution though. :-D

>>treat it as a flag that tells the card to wipe all private keys.
> 
> Yes, this is possible.

Possible, surely.  But how likely to get into the OpenPGP card?

> Actually card vendors won't see that as a benefit to them.  After all
> there business is to sell cards.  

Of course it would not be an immediate benefit, but I think they would
find that many more people would be interested in their product if it
didn't have a built-in self-destruct mechanism.  I know I'd be much more
inclined to push for my company to use a smart card that was reusable.

> For the user the real damage is not
> the locked card but the loss of the keys which are far more valuable
> than that piece plastic and silicon.

The relative value of the key vs. the card depends on the application.
For something like a CA, the key is almost definitely more valuable.  (I
guess the term "CA" doesn't really apply to OpenPGP ... so say a very
well-known key pair) But in a case where the card is used primarily for
authentication, or really any "client-side" type application, the card
is probably going to be more valuable.

For me, I use the card for a signing subkey and auth subkey only (for
just this reason) so if the key is lost, I could just generate a new
signing key and carry on without losing anything. But if the card is
lost/locked I have to buy a new one, which is a hassle and expense I'd
prefer not to have to deal with.

> OTOH, I understand your concerns.  In particular when developing
> applications a complete wipe out command would be a nice to have.  We
> already discussed whether we can add such a thing as an optional
> feature to the next release of the specification.

That would be excellent if it's likely to actually be implemented.

Thanks
-Alex Mauer "hawke"
-- 
Bad - You get pulled over for doing 90 in a school zone and you're drunk
off your ass again at three in the afternoon.
Worse - The cop is drunk too, and he's a mean drunk.
FUCK! - A mean drunk that's actually a swarm of semi-sentient
flesh-eating beetles.
OpenPGP key id: 0x51192FF2 @ subkeys.pgp.net

More information about the Gnupg-devel mailing list