<html><head></head><body><div style="font-family:Helvetica Neue, Helvetica, Arial, sans-serif;font-size:13px;"><div><div>If you are using something like Tails you would probably just install the GPG agent. Tails allows installing additional software - https://tails.boum.org/doc/advanced_topics/additional_software/index.en.html. U2F is available in the new version of Firefox being released later this year so if that is included in future Tails release then there would be in-browser support in Tails.</div><div><br></div><div>The risk mentioned with a key-logger/screen capture is the same for all smart cards/tokens, and really all methods of composing a message on a computer. The risk would even apply to Tails if say the user installed malicious software or browsed to a site that exploited a browser vulnerability.</div></div>
<div><br></div><div><br></div>
<div id="ydp9bebed46yahoo_quoted_0890913410" class="ydp9bebed46yahoo_quoted">
<div style="font-family:'Helvetica Neue', Helvetica, Arial, sans-serif;font-size:13px;color:#26282a;">
<div>
On Monday, November 6, 2017, 5:26:51 PM EST, <vedaal@nym.hush.com> wrote:
</div>
<div><br></div>
<div><br></div>
<div><div dir="ltr"><br clear="none"><div class="ydp9bebed46yqt0376423563" id="ydp9bebed46yqtfd84264"><br clear="none"><font style="vertical-align: inherit;"><font style="vertical-align: inherit;">On 11/6/2017 at 4:55 PM, "Tim Steiner" <</font></font><a shape="rect" href="mailto:t@crp.to" rel="nofollow" target="_blank"><font style="vertical-align: inherit;"><font style="vertical-align: inherit;">t@crp.to</font></font></a><font style="vertical-align: inherit;"><font style="vertical-align: inherit;">> wrote:</font></font><br clear="none"><br clear="none"><font style="vertical-align: inherit;"><font style="vertical-align: inherit;">\We have been working on a project to build a direct interface for PGP/GPG usage using U2F for web apps and browser extensions. This is similar to existing smart cards and tokens but no software install is required.</font></font><br clear="none"><br clear="none"><font style="vertical-align: inherit;"><font style="vertical-align: inherit;">We set out to solve this problem -"Man, I really wish I could read this PGP message, or send this message, or open this file, or sign this file, but I don't have my laptop with me"</font></font><br clear="none"><br clear="none"><font style="vertical-align: inherit;"><font style="vertical-align: inherit;">With this solution you can keep the key offline, carry it with you and it works even on a computer where you can't install software - </font></font><a shape="rect" href="https://www.kickstarter.com/projects/1048259057/onlykey-quantum-future-ready-encryption-for-everyo" rel="nofollow" target="_blank"><font style="vertical-align: inherit;"><font style="vertical-align: inherit;">https://www.kickstarter.com/projects/1048259057/onlykey-quantum-future-ready-encryption-for-everyo</font></font></a><br clear="none"><br clear="none"><font style="vertical-align: inherit;"><font style="vertical-align: inherit;">We are interested to hear feedback on this approach from the community.</font></font></div><br clear="none"><br clear="none"><font style="vertical-align: inherit;"><font style="vertical-align: inherit;">=====</font></font><br clear="none"><br clear="none"><font style="vertical-align: inherit;"><font style="vertical-align: inherit;">Using this on anything except your own computer, or laptop, is problematic, </font></font><br clear="none"><font style="vertical-align: inherit;"><font style="vertical-align: inherit;">as the 'host' computer can have a key-logger or screen capturer, and copy the decrypted plaintext, or the plaintext to be encrypted.</font></font><br clear="none"><br clear="none"><font style="vertical-align: inherit;"><font style="vertical-align: inherit;">Can it be made to work with Tails/Tor which uses GunPG ?</font></font><br clear="none"><br clear="none"><font style="vertical-align: inherit;"><font style="vertical-align: inherit;">(The 'insecure' browser on Tails not involving Tor, is a Firefox variant. </font></font><br clear="none"><font style="vertical-align: inherit;"><font style="vertical-align: inherit;">If it can work on that, then booting from the Tails USB avoids a screencapturer, and using on on-screen keyboard avoids a hardware keyboard logger.</font></font><br clear="none"><br clear="none"><font style="vertical-align: inherit;"><font style="vertical-align: inherit;">But even so, there are problems with using it on an 'unknown' computer :</font></font><br clear="none"><br clear="none"><a shape="rect" href="https://tails.boum.org/doc/about/warning/index.en.html#index2h1" rel="nofollow" target="_blank"><font style="vertical-align: inherit;"><font style="vertical-align: inherit;">https://tails.boum.org/doc/about/warning/index.en.html#index2h1</font></font></a><br clear="none"><br clear="none"><br clear="none"><font style="vertical-align: inherit;"><font style="vertical-align: inherit;">vedaal</font></font><div class="ydp9bebed46yqt0376423563" id="ydp9bebed46yqtfd57045"><br clear="none"><br clear="none"></div></div></div>
</div>
</div></div></body></html>