1 |
You have to trust the device that you interface with in any case. If the |
2 |
computer is compromised, how do you know that the message you pipe |
3 |
through for signing is the same as on the screen? |
4 |
|
5 |
-John |
6 |
|
7 |
On Mon, 2004-03-29 at 10:47, Paul de Vrieze wrote: |
8 |
> -----BEGIN PGP SIGNED MESSAGE----- |
9 |
> Hash: SHA1 |
10 |
> |
11 |
> On Sunday 28 March 2004 18:39, Sami Näätänen wrote: |
12 |
> |
13 |
> > To do what? |
14 |
> > |
15 |
> > The master key will not be present there. |
16 |
> > And if you don't provide those keys that are in the card the keys you |
17 |
> > make with the trojaned machine can't be validated with the master |
18 |
> > public key. |
19 |
> |
20 |
> That would only work if the external device actually performs the |
21 |
> singing. Not when the key itself is readable by the computer the device |
22 |
> is inserted in. I don't know if it would be possible to acquire such a |
23 |
> device allthough they probably exist. |
24 |
> |
25 |
> Paul |
26 |
> |
27 |
> - -- |
28 |
> Paul de Vrieze |
29 |
> Gentoo Developer |
30 |
> Mail: pauldv@g.o |
31 |
> Homepage: http://www.devrieze.net |
32 |
> -----BEGIN PGP SIGNATURE----- |
33 |
> Version: GnuPG v1.2.4 (GNU/Linux) |
34 |
> |
35 |
> iD8DBQFAZ+K5bKx5DBjWFdsRAsvmAJ4sxzDl7z05qvloegttB5Omm1FsFQCgsttT |
36 |
> DMv+RqOgr9ZnMLxArOOxMaI= |
37 |
> =JzOQ |
38 |
> -----END PGP SIGNATURE----- |
39 |
> |
40 |
> -- |
41 |
> gentoo-dev@g.o mailing list |
42 |
> |