1 |
-----BEGIN PGP SIGNED MESSAGE----- |
2 |
Hash: SHA512 |
3 |
|
4 |
On 12/28/2015 07:35 PM, Rich Freeman wrote: |
5 |
> On Mon, Dec 28, 2015 at 10:07 AM, Kristian Fiskerstrand |
6 |
> <k_f@g.o> wrote: |
7 |
>>> On 28 Dec 2015, at 15:58, James Le Cuirot <chewi@g.o> |
8 |
>>> wrote: |
9 |
>>> |
10 |
|
11 |
|
12 |
> That concern is hardly unique to phones. PCs suffer just as much |
13 |
> from this problem. The solution could potentially be the same. |
14 |
> For |
15 |
|
16 |
But here we already have smartcards (that everyone should and _is_ |
17 |
using... right?) |
18 |
|
19 |
> signing it is a straightforward problem since there is nothing to |
20 |
> be kept secret except the key material itself (just send the |
21 |
> message to the signing device, and return the signature back). For |
22 |
> encryption |
23 |
|
24 |
for clarity (and what I think you already mean), the message in this |
25 |
case is the message to be signed (which is likely a blinded hash or |
26 |
something, so much shorter than the original data) |
27 |
|
28 |
> you have additional challenges if you want to be able to make any |
29 |
> use of the plaintext without it getting stolen - once decrypted it |
30 |
> is only secure as any device that comes in contact with it. And |
31 |
> there is no |
32 |
|
33 |
Indeed, but at least the device won't be able to decrypt further |
34 |
communication as it'd only have access to the session key of the |
35 |
particular message. Loosing control of the private (sub)key is |
36 |
substantially worse, so that might actually be ok for the security |
37 |
parameters of the users. |
38 |
|
39 |
> reason that mobile and browser frameworks couldn't talk to such |
40 |
> devices with the right standards. |
41 |
> |
42 |
> If it were up to me the government would hand out signing devices |
43 |
> just as they hand out passports. |
44 |
|
45 |
This already happen in several countries, including Germany and on a |
46 |
semi-related variant Norway (its government approved to sign |
47 |
electronically using BankID, where the banks does the verification). |
48 |
In germany there is even a CA that checks the government ID and |
49 |
certify OpenPGP keys based on it. |
50 |
|
51 |
- -- |
52 |
Kristian Fiskerstrand |
53 |
Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net |
54 |
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 |
55 |
-----BEGIN PGP SIGNATURE----- |
56 |
|
57 |
iQEcBAEBCgAGBQJWgpGGAAoJECULev7WN52FHM4H/3hRy9UcmNtQ9cXOKR6xvwPy |
58 |
jso78Adi2EP4rGdMJrczBO7ymG5NSxF3rtVel1UjyYfT8x3MEgPfyyG26yGUOo6X |
59 |
tyL5dBiZ6dLCDMDAJdc3tTuLkgaRCkyPZFva6qOp3DgHMAez+wQTKTkmzpMGmG8M |
60 |
UxqrUWOS/7cGx5Dp+GOYWqd6nx+xrzwg63UbZqstwpPGZVp1BzI/Cat0KQv2j+q1 |
61 |
SU7IKvl4B2HmuL7BeZrc1H7Vj4BmUC1bgw5jnaA0E5oAsHvYefVxBQkt6sroxrbJ |
62 |
8cXm4NGFRrLf4YkO/x7T7CRxnVLcGKdNkrKJDquCcsPHbc9oR44JBiXdO4OaWd4= |
63 |
=dIzk |
64 |
-----END PGP SIGNATURE----- |