Talking about Cryptodevices... which one?

Peter Lebbing peter at digitalbrains.com
Fri Feb 6 12:09:35 CET 2015 

On 06/02/15 01:21, Matthias-Christian Ott wrote:
> If they provably don't sign their firmware or incorrectly check the signature
> and are not responsive, perhaps it would be helpful to talk to them through
> third parties like BSI or S-CERT

Why?! Why would I do that?! I do like to think of myself as a bit altruistic,
but seriously, why would I go through all that effort? Thanks for making me
smile. It does a person good.

Furthermore, I am a bit tired of this subject, forgive me for not answering most
of what you say. I get the impression you're not picking up on what I'm trying
to say, and that becomes a bit tiresome.

>> I'm absolutely sure nobody made that claim. More miscommunication galore?
>> ;)
> 
> Werner Koch suggested it (<87y4oen5lx.fsf at vigenere.g10code.de>).

If you would link[1] to the mailing list archives I wouldn't have to open the
(what Thunderbird calls) "message source" to visually compare the Message-ID on
a likely message.

Anyway, that wasn't such a long mail. It sure doesn't contain your suggestion.
You're really doing a lot of extra interpretation and inference if you take that
suggestion from:

> I think such a discussion is important and belongs here.  I see no
> reason to discuss the need for 8k or even 4k keys if we neglect to
> discuss hardware or malware based attacks.  In fact the immediate need
> for very large keys is mostly an academic exercise while the latter are
> real threats.

To me, it says that 4k or 8k keys are not the weak spot of a cryptosystem. And
that we should discuss weak spots on this list. Thank you for your contribution
in that. But it sure as hell doesn't say that a smartcard keeps you safe when
you're working on a compromised system.

> If somebody wants to discuss or answer these questions that I'm asking myself
> for years, I will be happy to continue the discussion otherwise I'm out of
> it.

Glad we agree on that at least.

Cheers,

Peter.

[1] http://lists.gnupg.org/pipermail/gnupg-users/2015-February/052344.html

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

More information about the Gnupg-users mailing list