Renewing expiring key - done correctly?
Hauke Laging
mailinglisten at hauke-laging.de
Wed Dec 4 02:31:34 CET 2013
Am Di 03.12.2013, 20:10:32 schrieb Robert J. Hansen:
> UEFI is a surprisingly capable operating environment. If I can
> compromise your machine, then I put down my own code in the UEFI loader
> and wait for you to reboot your machine.
That's why crypto best practices should be extended to "what hardware to buy".
Of course, then the point is approaching where your next argument kicks in:
Complexity which limits the usage to 1% of the population.
But this is what the chipset-based write protection for flash has been
invented for long ago. That, of course, doesn't exclude the possibility to
hack the firmware on boot by some bogus NVRAM content... Unfortunately it
seems to be impossible to ensure that a (normal) system is incapable of
storing data. Disconnecting the disk just limits the available storage.
Hauke
--
Crypto für alle: http://www.openpgp-schulungen.de/fuer/unterstuetzer/
http://userbase.kde.org/Concepts/OpenPGP_Help_Spread
OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 572 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20131204/372abc80/attachment.sig>
More information about the Gnupg-users
mailing list