GPG support in Mahogany

Olaf Gellert
Mon Dec 16 22:57:01 2002


just a short (and late) remark:
> > But why? Why you worry about this, but you don't worry that someone's
> > machine in the message path isn't compromised?
> I do not understand how a compromised machine in the path is a problem.
> The reason to encrypt is exactly to make sure one does not have to
> bother with that, no? Would you want to say that an external (w.r.t.
> encryption) signature could be removed?

Well, if your machine is compromised, you may not notice
this immediately. So the attacker install a little daemon
that is locking your keystrokes, gets your passphrase and
that way compromised your key. Even with public key
cryptography the overall security level ist that of
the weakest link. And there is NO way to prevent this.
Even with smartcards, you cannot prevent an intruder
from changing your signing software (just a little
trojan) so when you want to sign a document, the
software gives a hidden other document to the signing

The only solution to this is a completely secured device.
This could be some kind of PDA running with a certified secure
signing software, implemented in hardware (so it cannot
be changed). This device may get the document you want
to sign via a simple interface (maybe as a tif- or
bmp-image, but not as postscript or word-document, because
there you could implement some features that hide parts
of text under certain conditions). It displays the document,
asks you if you want to sign it, you enter the pin and
the document is given to the smartcard to be signed...
This is a quite secure and very expensive solution. ;-)




Olaf Gellert                                            _ - __o                                    _- _`\<,_                       - (_)/ (_)
Most people would sooner die than think; in fact, they do so.
        -- Bertrand Russell