New smart card / token alternative
Peter Lebbing
peter at digitalbrains.com
Wed Nov 8 16:45:27 CET 2017
On 08/11/17 16:27, vedaal at nym.hush.com wrote:
> or, more practically, just post anonymously to a blog or website,
> using --throw-keyid, with a pre-arranged understanding that the
> sender and receiver post to and check certain websites
I did not phrase it properly, leading to a misunderstanding.
We are talking about using a smartcard on a compromised computer. I
reasoned from the OpenPGP Card specification[1]. You can simply ask the
smartcard for the public key; the actual cryptographic public key.
So as an attacker with control over the computer, you see that someone
succesfully decrypts a document using his OpenPGP card. You ask the
smartcard for the public key that was used to encrypt the document, and
you have a fully unique identifier for the key that was used.
HTH,
Peter.
[1] It isn't clear to me whether this project is actually adhering to
the OpenPGP card specification, though, I didn't check. I realised this
only later.
--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20171108/d04cf3e0/attachment.sig>
More information about the Gnupg-users
mailing list