Enigmail speed geeking

Robert J. Hansen rjh at sixdemonbag.org
Thu Mar 12 18:21:56 CET 2015


> That's quite a personal issue to count as a failing of smart cards.

Sure!  And I even said that.  "For many users, smart cards are a good
idea.  (I've got one myself.)  But for just as many users, smart cards
are inconvenient and overkill."  Your use case isn't my use case.

That said, I've heard from enough people over the years sharing the "I
can never find a reader when I need one" problem for me to think I'm not
alone.

>> I'm not sure the (marginal) additional security from using a smart 
>> card is worth the (very real) usability expense.
> 
> Oh, you mean like being able to use a more humane PIN / passphrase?

Depends on the user.  I personally have three different 128-bit
passphrases memorized (sixteen random bytes base-64 encoded).  Other
people have trouble remembering their four-digit ATM PIN code.

Will I get additional security from using a smart card?  Depends on my
specific usage and my goals, but in most of my cases, no.  Enough to
justify the usability expense?  Again: it depends on my specific usage
and my goals, but in most of my cases, no.

But that doesn't mean I don't use my smart card.  I do.  I just use it
in use cases where it makes sense to do it.

>> Then I discovered the downside of USB tokens: they don't take well 
>> to going through the wash.
> 
> Are you serious? I wouldn't know but I'm guessing the computer you 
> use to decrypt those messages won't take too well to water either.

Probably not, but in my defense, Apple didn't put a hole in my laptop
and give me a glossy brochure showing a MacBook Pro hanging off my
keychain, either.  Rainbow Technologies did, and what happened to the
token after that was predictable.  It went where my car keys did.
Namely, the wash.

> Sure you need a reader and sure, you shouldn't throw the reader into
> water but come on. You go out of your way to make them sound like 
> something completely unusable.

Not "completely unusable".  In the best case, a smart card adds 30-45
seconds to my operation time.  That's a price I'm willing to pay for
certain operations.  For others, it's not.

If you think I'm portraying them as "completely unusable," then I think
you didn't bother to read my message very closely.  Their usability and
appropriateness is *intensely* dependent on the user and the operating
environment.  For some users they make a lot of sense.  For others, they
don't.

> I think they add security and depending on the user and use case
> they either add inconvenience minutely or the complete opposite, they
> add usability.

The number of environments, number of users, and number of use cases, is
way too vast to be able to make a glib statement like this.  You're just
wrong.  :)

The answer is, "it depends."

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3744 bytes
Desc: S/MIME Cryptographic Signature
URL: </pipermail/attachments/20150312/b421d60d/attachment.bin>


More information about the Gnupg-users mailing list