Making the case for smart cards for the average user

Sun Mar 15 09:47:51 CET 2015

On 03/14/2015 05:13 AM, Joey Castillo wrote:
> Of course smart cards aren't some kind of magic bullet, but if the
> goal is to drive wider adoption of GnuPG and OpenPGP based
> cryptography, I can't shake the feeling that smart cards are a huge
> part of the answer. Thoughts?

I think that smartcard is _not_ the "must", and having private keys on
host PC as files are good, given the condition where user keeps
computer safe.  If a user is good at administrating POSIX system (or
whatever operating system) and managing specific files, it would be
safer than using unfamiliar hardware.  And... users should keep their
computer safe from the beginning, you know.

Well, when I needed to make copies of private keys (for multiple
computers), I felt anxious.  This is a major reason why I started
using OpenPGPcard, and then, I started to develop Gnuk.

For myself and for the one of release keys of GnuPG, I use Gnuk
Tokens.

However, please note that the situation is not that perfect.

Please note that I have been doing my best to improve GnuPG's
smartcard support (especially about its stability), now, it only
supports basic smartcard things.  For example, you can easily find a
lack of multiple cards / tokens support.  We need more improvements
here (and there).

I'm happy that I can see people discuss about using smartcard/token
for GnuPG nowadays.  I interpret it as the stability/usefulness of
scdaemon.  If not, please file a bug report or two. :-)

>From here, it's tl;dr. :-)  It is a somehow long story.

The culture/practice around smartcard, especially the industry (in
Japan), is not friendly to free software development.  Basically, they
require NDA here and there.  Although many engineers just say "we
support FLOSS", there are conflicts in practice, when they try to give
technical information to outside.

In general, for free software, it is difficult (or simply no way
sometimes) to support existing smartcards.  It is mostly similar for
smartcard readers, although the situation is better than the smartcard
itself.

When I started Gnuk on 2010, I had expected it were the (last)
missing piece.  I soon realized that I was wrong.  And we still have
many things to do in 2015.

I worked and I am working for:

    * Firmware as free software: Gnuk
    * TRNG implementation: NeuG
    * Reference hardware: FST-01
    * Software improvements on host PC: scdaemon

... while I highly depend on:

    * Improvements of development environment: GCC, OpenOCD, KiCAD, etc.

... and I would like to do something around:

    * Improvements on OpenPGPcard specification

Well, I'm afraid... the situation around smartcard for GnuPG is not
yet mature enough to invite average users.

My focus is on the development of those things, and my work is
supported by the sales of FST-01.  Since the situation is not mature
enough (for me), I am caught in a dilemma: I want to sell more FST-01,
but selling more FST-01 now means more possible troubles (to me).

If someone is a user of GnuPG already, I could invite him to use Gnuk
Token.  I mean, I could sell FST-01 with Gnuk to him, and I would say
that the access using SSH could be also safe and easier.

However, if it is the first time for him to use any tool of Free
Software, it would be difficult for me to help him effectively.  When
I need to start from the explanation of the difference of proprietary
software and free software, I would hesitate in some occasions.  Yes,
I _do_ or I try to do so (not always, but most cases), but my physical
body and my hours are limited.

Or, if it is the first time for him to use any smartcard/token on his
system, it would be difficult for me to help him effectively.

Because of this situation, I don't advertise FST-01 much to general
public, while I believe Gnuk Token would be better solution in many
cases.  I think that it's ready for the evaluation by developers and
experienced users of Free Software.
-- 