Smart card

Rainer Hoerbe rainer at
Sun Apr 9 18:34:42 CEST 2017

> Am 09.04.2017 um 17:26 schrieb Robert J. Hansen <rjh at>:
>> Good point, and I agree to that for a very basic assessment. However,
>> the assumption that only politicians and government employees holding
>> a security clearance are targeted by Mossad & co is a thing of the
>> past.
> It never was true -- for decades the French DGSE surveilled on Airbus's
> competitors, for instance.

and their main competitor’s govmnt in reverse as well :-)

> But the point still stands.  The attacks you're talking about are not
> automated.  They require significant per-target involvement from
> highly-skilled technical talent, and once you posit you're being
> targeted by people who have both technical talent and a budget you're
> far outside the realm where a smartcard can save you.

Sorry, not any more. Look at the online-banking fraud business. Automated credential stealing tools from simple keyloggers to sophisticated maleware such as from the Zeus family are available on a pay-and-play basis. 

> There are definitely domains where smartcards make sense.  I use a
> smartcard not just because of high-value secrets, but because I use
> several different computers.  A smartcard means I have one copy of my
> private key that I can safely share between rigs, without the risks that
> come from each machine having a copy, putting my private key on an NFS
> share, storing it on a USB drive, or any of the other ways to tackle it.

I thought your private key is so well encrypted that your can publish it in a news paper?

Anyway, from a market success point of view the dominant applications for smartcards are mobile and bank cards. They have solved the usability problem, which GPG, PKCS11 etc. did not do yet. As long as the effort to setup smartcards is so high it will not make sense to users to spend time with a risk that is difficult to assess.

- Rainer

More information about the Gnupg-users mailing list