"general purpose OS is fundamentally inadequate for trusted operations"

Wouter Verhelst w at uter.be
Sun Apr 23 17:00:13 CEST 2017

On Sat, Apr 22, 2017 at 01:01:12PM -0400, Robert J. Hansen wrote:
> The game-over condition without a smartcard is, "my computer gets
> compromised by an attacker."

No, that is *one of* the game-over conditions; it is not *the* game-over
condition. Without a smartcard, there are other game-over conditions;
e.g., if you've created a backup of your home directory, that backup
contains a copy of your private key, and the attacker somehow manages to
get hold of your passphrase, then that is *also* a game-over condition.
The same is not true for smartcard keys. This is also just one example;
there are others.

Also, the *level* of compromise need not be the same. With
non-smartcard keys, an attacker does not need to continuously compromise
the victim's computer; just getting access to the private key and the
corresponding passphrase *once* is enough. This can not be said for
non-smartcard keys.

Yes, it is correct to state that smartcard keys are not a panacea; there
are still various possible options which an attacker has, even with
smartcard keys, to be able to break the system and read all encrypted
data. However, it is incorrect to state that therefore the security of a
smartcard is the same as that of a key on a hard disk drive. There are a
few possible attacks that the use of a smartcard mitigates, and
therefore a smartcard key *is* more secure than a non-smartcard key, and
it *does* improve security. It just doesn't mitigate *every* possible

< ron> I mean, the main *practical* problem with C++, is there's like a dozen
       people in the world who think they really understand all of its rules,
       and pretty much all of them are just lying to themselves too.
 -- #debian-devel, OFTC, 2016-02-12

More information about the Gnupg-users mailing list