GPF Crypto Stick vs OpenPGP Card
Hauke Laging
mailinglisten at hauke-laging.de
Sat Dec 4 02:37:47 CET 2010
Am Freitag 03 Dezember 2010 17:32:50 schrieb Werner Koch:
> On Fri, 3 Dec 2010 13:21, mailinglisten at hauke-laging.de said:
> > A first improvement would be to show the hash to be signed. Of course,
> > you
>
> That does not help. Even if you would be able to compare it with the
> hash displayed on the host box, you gain nothing: Any malware which
> foist you a different file for signing won't have a problem to display
> you the same hash value on the host and and the pinpad.
Sure, that was clear to me. Let's have a second look at what I wrote:
####################
Of course, you cannot trust the hash calculation on a potentially compromised
PC but this would be a start for further protection (e.g. by sending the file
to someone else and comparing the hashes).
####################
:-)
Hauke
--
PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 555 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20101204/5c161f7c/attachment.pgp>
More information about the Gnupg-users
mailing list