Enigmail speed geeking

Ville Määttä mailing-lists at asatiifm.net
Thu Mar 12 20:49:08 CET 2015 

On 12.03.15 20:52, Robert J. Hansen wrote:
>> My point was that you wrote multiple paragraphs worth of stories on 
>> > two emails from which I really got the impression that people should
>> > just not bother.
> In response to someone who was thinking that storing keys on your hard
> drive was categorically unsafe, and that smart cards were categorically
> necessary, yes.

Absolutely. I agree. I think the difference of opinion here stems from
how I read the reply you sent. After the first couple sentences it's not
much about answering the question anymore :).

The questions was: Are smart cards a must? No they are not.

>>> The answer is, "it depends."
>>
>> Isn't "it depends" exactly what I said ?
> 
> No.  You said they add security, period, and that they either
> inconvenience minutely or add convenience.

All things being equal, they do practically add security, period :).
Well, you're quite right that it's impossible to say that they would add
security in all situations. Maybe they could also weaken it in some. But
you can use the same passphrase with or without the card. You can have
your subkeys on the card or on the computer. Maybe you can fill in the
rest. I.e. all things being equal:

The card can and on defaults probably will limit the amount of
passphrase attempts. And then it locks. Is it absolutely secure against
hacking? No. But it should be quite difficult to hack. And an important
point if to only have subkeys in there that you can revoke.

> That's not an "it depends"
> answer.  That's a "this is true in all times and situations" answer, and
> that's exactly wrong.

I said "depending on the user and use case". It is an it depends answer.

> They do *not* add security in all times and
> situations

I'm not making such a claim. The world is not black and white. Yes or no
only. I'm not talking about some theoretical, mathematically proven
statement that smart cards are more secure in every possible way. They
are not.

>, and they do *not* only ever cause minute inconvenience.

I don't know how you count the 30-45 second number from before but for
me it adds 1-10 seconds, maybe. Hard to estimate but it doesn't really
add any inconvenience to my use. And obviously, that's quite subjective.

I'm not even trying to make a point that they would be more secure all
the time. But, practically, they can be a cheap and convenient way to
add security. Everyone has to evaluate their use case though.

Here's an example. Is it better to store secret keys on each computer or
a smart card? I use multiple different computers and think that it's
more secure to have the keys on my smart card. So, more security by not
having to distribute the secret keys to all those computers. I'd say
that's convenient security as the secret keys come with me to whichever
computer I happen to be using.

-- 
Ville

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 648 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20150312/410243fc/attachment-0001.sig>

More information about the Gnupg-users mailing list