More secure than smartcard or cryptostick against remote attacks?

Robert J. Hansen rjh at
Fri Feb 8 01:17:05 CET 2013

On 02/07/2013 02:31 PM, Peter Lebbing wrote:
> You seem to be implying that unless something is perfect, something is bogus,
> and people should not bother.

No.  I am arguing that if you do not/cannot trust the machine you're
running GnuPG on, *there is no dongle you can add to your system to
restore your trust in that machine*.  You want a system in which, even
if GnuPG is compromised, you can't be tricked into signing something
other than what you intend to sign -- where, even if GnuPG is
compromised, you can trust the signatures you make.  Good luck.  It
can't be done.

You need to be able to trust your hardware.  If you don't, then no
matter what dongle you use, the door is open for an enterprising
malcontent to exploit you in any of hundreds of ways.

> Why do you even have GnuPG if you feel that an attacker worth your
> time would have you in his pocket?

Because I trust my hardware.  If you can trust your hardware, then
there's a lot of stuff you can do.  If you can't trust your hardware,
then the only thing you should be doing is figuring out a way to restore
that trust.

> Actually, you might want to rethink that whole Fedora thing, because I think
> someone has gone through quite some effort for your private key. He even
> pretended to be Werner Koch, and laughed himself silly when you gave him a
> bloody account to the machine he already owned more than you did.

Sure.  That's theoretically possible.  I don't believe it to be true,
though.  My machine is trusted not because I'm certain that it's immune
to being pwn3d, but because I acknowledge that it can break my local
security policy and I'm willing to accept what I perceive as the risks.

If you don't trust your hardware, then that means you're not willing to
accept the risks you perceive.  And that's a really big problem.  If
you're not willing to accept the risks you perceive as associated with
your hardware, then why are you using your hardware?

> I'm slightly confused. Because everything you object to the device I have in
> mind is equally well deployed against the smartcard, yet the smartcard
> apparently is not bogus.

The smartcard solves a completely different problem than what you're
talking about.  This is why there's a differential answer.

More information about the Gnupg-users mailing list