Smart card

Will Senn wsenn1 at
Tue Apr 4 07:19:11 CEST 2017

On 4/3/17 11:48 PM, Doug Barton wrote:
> On 04/03/2017 08:33 PM, Will Senn wrote:
>> I didn't ask if I should get one. I asked if there were resources to
>> help a newb make decisions regarding them. While I sense a certain
>> disdain in your response, I'll make some clarifying comments in the hope
>> that its worth the effort...
> Robert's answer was more than a little snarky, yes. But, you send your
> question to a free mailing list, you get what you paid for. :)
> Meanwhile, go back to your first post, and remember the question I
> asked you, before anything else?
> What's your threat model?
Fair enough, and I have learned quite a bit based on everyone's
responses. I admit, freely, to not understanding everything that y'all
have said. I do not really know what I need vs what I think I need. In
my uneducated state, I think I want to be as secure as possible and I'm
willing to invest time and energy in the pursuit of what knowledge I
need. But I don't know what I don't know. It just seems to me that if
having access to PGP helps me secure my email from prying eyes, and
keeps my sensitive files from being viewed by others, that is helpful.
What I've read seems to hint that a smart card is a good way to limit
some of the potential exposure of having keys laying around.

I thought I answered the threat model question, but if I haven't I'm
sorry. See if this is a threat model:

I'm a tech savvy citizen who wants to protect my email (Seems to be
working - Enigmail automates encryption, signing, and decryption pretty
seemlessly), protect my files on disk (GPG's symmetric encryption works
for this quite easily and well), sign files that I share (GPG signatures
seem ideal), verify software packages that I download (gpg --verify
seems much better than relying on a hash that has no relationship with
an identity), begin to establish a public identity that is trustable and
verifiable (web of trust type stuff, my understanding here begins to get
fuzzier), and do this on mac/linux (very rarely, windows) machines that
are permanently or occasionally attached to a reasonably secure home
network that is behind a reasonably sophisticated firewall, as well as a
laptop that occasionally connects to secure networks outside of the home.

What I noticed, while I was figuring out how to do the six normal gpg
operations, is that I have a hard time with key proliferation - it seems
like having lots of devices either makes for having lot of copies of
keys or lots of copying of files to and from the device with the keys...
So, I just thought (hoped) that a Smart Card might be a solution for a
problem like this :).

> As Robert pointed out, it's really hard for us to give you a map if
> you can't tell us what you want your destination to be.
> Doug

I get it. Thanks... if I could only figure out how to ask the right
question :).

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170404/cc600c6a/attachment.sig>

More information about the Gnupg-users mailing list